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(54} INFORMATION PROCESSING SYSTEM AND METHOD 



• , an «nct i ie h s n 
are disclosed in which informatron processing is per- 
formed irt a highly efficient manner using an enabling 
k^Wock{£K8) on the basis of atree structure including 
category subtrees A key iree is produced so as- to m- 
ciucteapiura ,U i t i uped i accord 
ance wiih categories and managed by category entities 
An h'KB is produced so as to include data produced by 



td encrypting an upper- 
feve:keytn> 6 p i ngaiower evei key in 
the selected path, and the resultant EKB provided to 
a device. If a change occurs m state of a category tree 
capable of proc i < ' n tne sKBtype 

definition itst. a nenfieahor ot tb<?ch«nge :n state is sen! 
to an entity that uses iris i-:KB ticcreby rnnkiry; it pessibfe 
for an EK3 rsquc I sing in accorc 

ance with s newest EKB. 



FIG. 83 
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Description 

Tschnicsi Field 

[0001] The present invention relates to an information 
processing system, an informal processing method, 
and an information storage mscSSum. and particufsriy to 
a data distribution system and method for providing var- 
ious kinds of data such as conten! data to an authorized 
user by means ct a process inc-uding a cryptographic 
process. More p tietjiariy hepreser invention relates 
t s s ste an tfor i at m 

processing method, and on information storage medi- 
um, in w ilch a koy b ng a hierarcn 
cat-tree ke> , o t a de- 
vice to which a consent is to be provided, ana the key 
block is used in encryption oi the content and also in 
transmission of a consent Key, thereby ensuring that the 
content, the content key. and other data are securely 
provided. 

Background Art 

[0002] it is now very popuSanc distribute various kinds 
of scttwa s da; sac m ai dio de o 

i i ,-, e r 

fo as a content) via a network such as she internet or via 
a distributable storage medium such as a DVD or a CD. 
After loading such content data onto a PC (Personal 
Computer) or a game machine of a user via data trans- 
mission, or after loading a storage medium on which 
content data is stored onto me PC or the game machine, 
the user can enjoy a piayec-back content, A content 
stored on a storage medium may be stored Into a stor- 
age device such as a memory card or a hard disk dis- 
posed in a PC ore recording/pteying-back apparatus so 
She; the cantons can Pe reproduced from She storage de- 
vice. 

[0003] An information apparatus such as a video 
game machine or a PC may include an interface tor re- 
ceiving a comers- via a network or accessing a DVD or 
a CO, and further include a RAM, a ROM, or the lite, 
sod as a me; r,eans, a pro 

gram, and data needed to reproduce a content 
[0004] Various kinds oi contents such as music data, 
video Co 1 > o ,i pam n / b from a storage 
medium and played back en an information apparatus 
itself such as a game machine or a PC used as a play- 
batik device or played back on a display or by a speaker 
connected io the information apparatus, io response to 
a command input by a user directly to the information 
apparatus or indirectly vlainpa! means conneefedto too 
information apparatus, 

[0005] In general, the right of distribution of software 
ontens f i music data, or viaoc 

data is hefd by producers or sellers o; the software con- 
snts.Soffws s si ibuied under 

specific usage limitation to secure that only authorized 



users can use software contents add that unauthorized 

copies thereof cannot be made. 

[0006] One « 5 specific us 

ens is to c sty * i jpit U 

s .such as audio data, video data, or a game program is 

distributed via the internet or the like after encrypting 

the content, and a decryption key, which is means tor 

decrypt ng toe ernv 

thortzed users, 
to [0007] The encrypted data car; be converted into its 

original form • 'ed 3tero-un.es 

o>* >'p! >np 1 s i data eteoh- 

l t 1 r r t > I oe using an 

c icrypt on * oy rod a do f \ m well known in the 

[0008] Various techniques of encrypting and decrypt- 
ing data using an encryption key and a decryption key- 
are known. One of them is a technique known as com- 
mon key cryptography, in the common key cryptogra- 

20 phy, the same key ceiled a common key is used as both 
an encryption key for encrypting data and a decryption 
k^v >r decrypt < the common 

key is given ooty fo authorised users so that unauthor- 
ized users who do not have the common key cannoi so- 

25 cess the data. A specific example of the common key 
cryptography is that based on the DES (Data Encryption 
Standard}. 

[0009] An encryption key tor encrypting data and a de- 
cryption key for decrypting She encrypted dad) can be 
obtained from a password or the like using a unidirec- 
tional functor such as a hash function Herein, the uni- 
directional function refers to a function whose input is 
very difficult to guess from an output thereof. Although 
soetieryj , key cant singe 

35 output obtained by appl < . ridii ionsl function to. 
for example, a password determined by a user, it is sab* 
si int iiy mf os ibletod e.fron th cbt » t cd -1 
cryptior iecryf t so iginat fe 

ta from which the encryption/decryption key is generat- 
or ed 

[0010] Another known technique is public key cryp- 
tography in which a r fc cmerscn >tion 

and a decryption key used for decryption are generated 
in accord an oewi ill 1 algorithms in the public key 

■-*s f , 1 , » > 1 

by any unspecified user, is Issued by a particular user, 
end a doom to be 1 > Mas user in 
encryptee us n so by the partlw as 

user The doi < • pu it ?j a 1 

■5a only be decrypted 1 y r ending to 

the encryption key used to oncry- i n r 

c etkey h 1 ' ;d hep ibtic 

key, and thus the document encrypted using the public 
key can bode p /if - v if 3 the ~< ' 1 

s$ key. A represent ve example of the pubic * ,' c 0* 
raphy is that based on the RSA (Rrvest-Shamlr-Adeh 
man) algorithm Using one of above-described cryptog- 
raphy techniques, if is possible to realize a system in 
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which encrypts tents ca i ted only by au- 
thorised users 

[001 1] in such a content distribution system, encrypt- 
ed contains are provided to users vis a network or via 
a storage such 3S a DVD or a CO. and content keys 
usedtotfaey,f , « - nop ovidsdcn- 

ly to authorized users. To prevent 8 content key from 
being copied in an unauthorized manner, it has besn 
proposed to encrypt a content key and provide the en- 
crypted content key to an authorized user so that only 
the authOiized u i te enc-ryc ad content 

key n- j, a j v ek the auth zed 

[0012] ftjudj j 10 i r e H s 

er or not is gem - b r authenticai >i 

t - Sw<r rnt ,. javioe arid a oi ;nt f. tor i .vho is < 
sender o? a content, before transmitting a content or a 
< ont ey. in a usual a c if } t 

er Is {tetermined to be an authorized one. a session key 
is produced which can be used only during too present 
communication oca data such as a content or a content 
ke> i ransr t ng the r 

key. Authentication may be performed using the com- 
mon key cryptography or ihe ptrbit ', ph 
in the ease wh sau < misperformed using th< 
common ke < > t common key for sys- 

tem- wide is i J t v ^ 

in renewal. On the ether hand, in the case where the 
public key encfyptogniphy is employed, undesirably 
complex calculations using a memory with en undesir- 
ably high capacity are required. 

Disclosure of invention 

£0013] It is an object of the present invention to pro- 
vide a technique of secure ty transmitting data omy to 
authorized users without having to perform mutual are 

eniic, i be md a receiver, by using 

an encrypted key block which can be used (decrypted) 
in a plurality of category trees defined as subtrees in a 
hierarchical key distribution tree 
[001 4] More sneemcaily, it :S Bn object of the present 

went ion to pt n ssing /s em 

an information ro - t method usrf an information 
storage medium, rn wh«h an enabling key block (EKB) 
, - c < vhichcant iecrypter < 

onec 

by rak -q - u t ( q c am, one 

of ;he selected earagory frees m use ere enabling key 
, t - -t > it( v ur 
when EKB type can be processed or decrypted by 
which category tree, is used thereby making it possible 
' Mm r c ,c j irt rMjlirg^t 

b " k _sc e nt m mor 

[001 5] It e i i i t or to < 

provide an Information processing system, an informa- 
tion processing method, and an information storage me- 
dium, m whtch a notification of a change in state ot a 



category tree capable of processing an EKB identified 
in an EKB type ti nt to a entity that uses 

the EKB thereby ewes EKB 

type definition information m processing, 

5 [0016] A cot ii gtc s f 

fior the s ior j do i r , t n i,^u 
in which a koy tree is formed so as to include leaves a 
root, and nodes existing in paths hern the respective 
leaves to the root; a plurality cf devices are assigned to 

» respective leaves; keys are assigned to the foot, the 
leaves, and th d In p c eroottc 

toav^- an ena! | ke it- m 

includes oefa produced by selecting a path in trie key 
tree and encrypting an upper-level key in the selected 

m path using a iower-tevei key in the selected path such 
that the encrypted uafa can be decrypted only by the 
device which can use a node key set corresponding to 

? Sc £ too o I it ijl O Kt \ r>, 

(EKB) is provided to the device, 
ee vvhereie the key tree includes a plurality of sub- 

to jssery j it gory res i rat r \ w(t >< ir c 
COrdartce with categories and managed by category en- 
tities; and 

the information processing system includes a koy 
2* distribution center !KDC) that produces and issues an 
EKB c« 5 it d ir common in one or 

more category frees wherein 

the key distribution center (KDC) has an EK8 type 
definition list representing the correspondence between 
-to an EK3 type identifier and one or more identification da- 
1 tdt it ytrjnr'firn f> m->- , - V.s ra>^ prOC 
ess an EKB cf an EKB type identified by the EKB type 
identifier; and 

the key distribution center tXOCj sends a oohhea- 
35 tion of a change in state of a category tree capable of 
r j s r< r pe dohnstion 

list to at least an entity that usee the EKB capable of 
being processed in the category free in which the 

m n< "ion process- 

ing system according to lire present invention, the 
change in state m a category tme is a change in state 
attemgfrom revocation (of a device: In the category tree. 
[0018] ir m ombodimer ot the 

s ig to the r, ?s; i u >e the 

change in slate in a category tret; is a change in state 
ansmg from a change of a key stored in a device be- 
gory tree 

[OGISj In an embodiment of the information process - 
so ingsystemai « i ventionjhe entity, 

which uses the EKB. includes an entity serving as an 
EKB requester that issues an EKB production request 
to the key distribution canter (KDC). 
[0020] Ir 

ss ingsystemace img m present invention, the entity, 
which uses tire SKB. includes an entity serving as a cat- 
egory ertrt, t f 
processing en EKB defined in the EKB type definition 
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rem of the 
o the prase 



;kdc; 



mgein 



n EKB production request to the key dis- 
tribution center >KDC) or serving as a category entity 
that manages a category tees. 
[0022] n ar t e informal a p ocess 

in;; system according to the present invention, the key 
J st 1 1 a c 1 ^r91 M ^ imc 



oi a 



-mge :ri 



Js. fed t 

ing method according to the present invention, the en- 
tity, which uses the EKB. includes m entity serving as 
3 category entity the; maneges a category tree capable 
of processing an iEKBoeflned in the EKB type definition 

10028] in an embodiment of the information process- 
ing method accord in € ot on the key 
d-stribction center (KDC) sends a notification of a 
change in state to ail entities serving as an EKB rsguest- 
on ssuss EKSprodi testt the key dis- 
tribution center (KDC) or &etv:nq as a category entity 



category tree from a category entity dm.; manages said 
category rice, produces e notification of the change in 
sta 0 r sec rda tat gt ifom a >i 

r - eh j from it atecjoi) 0, sends the £ re- 
duced notification, 

[0023] According to a second aspect of the present 
invention, there is provided an information processing 
method for use in a system m which a Key tree is formed 
so as to include -eaves, a root, arc; nodes existing in 
paths from tn f ' ot aofurefiiy 

of devices are s j v <- keys e 

assigned t'<: I ,Cts ocatod 

in paths from the foot to ieeves; an enacting key block 
(EKSJIsproduc j-' icced 

Sect; eg a petti in the key tree and encrypting an upper- 
leve! tey in the selects s ■ evsi key in 

the selected path such that the encrypted data can 00 
decrypted only by the device which can use a node key 
setcon'esponciingto the seiecied oath; and die resultant 
enab :ng ksy clock (EKB) is provided to the device, 

wherein a key distribution center (KDC), which 
prtx uces -' 

r of a change in state ot a category We capa- 
be f processing h ientiti d in the cfKBtype def- 
inition iist. in which the correspondence between at? 
EKB typi tfifier and 0 1 idee ion 
identifying one or more category trees capable Of 
processing an EKB ot an EKB type identified by the EKB 
type identifier is deserib 1 id-y that uses 

' t * > f j t lit hi ■ rpr, r i 

in which the change in state has occurred. 
[0034] In an embodiment of the information process- 
ing method according to the preseni invention, (he 
change in state in a category tree is a change in state 
t ' eatic f 1 5 egoryt < 0 

[0025] in an embodiment of ;he information process- 
ing method according to the present invention, the 
change in sta - jory tree is a char 30 ins c 

arising from a change of a key stereo in a device be- 
longing to the category gee 
[0026] 

g memo ',s reser wenfion, the so- 

ar* EK3 requester that issues an EKB production re- 
d t C KC 1l M e- cat r K 



[0029] ir < e information p ocess 

*s ing method according to the present invention, the key 
distribution center (KDC) receives state change infor- 
mation indicating occurrence oi a change tn state ot a 
category tree from a category entity that manages said 
category tree, produces a notification or the change in 
30 stats in accordance with the state change information 
received from the category entity unci sends (he pro- 
duced notification 

[0030] According to a third aspect of the present in- 
vention, teem is provided a program storage medium 

■as havmg a computer program stored therein for causing 
a computet ss/ £ - 3 r ion processing 

it < a in n rt ss.-sy m 

is formed so as to include leavas, a root, and nodes ex- 
isting In paths from the respective leaves to the root; a 

■Jo plurality of devices are assigned to respective leaves; 
keys are assigned to the- root, the leaves, and the nodes, 
located i hs from tne root to leaves: an en it ngke\ 
t > sd s oh includes data 1 >duced 
by selecting a path In the key tree and encrypting en 

35 upper-'nvel key ir'r - c tl s mi 1 lower-level 
key in the selectee path such that the encrypted data 
can be decrypted only by the device which can use a 
tsocte key set correspond 1 ed gait and 

th estrt-ant enat , 1 1- £ >vr - iu if e 

j c device, the cr t ' jgriimi t ig f to steps of: 

receiving statechange formation indicating occur- 
rence of a change in stare of a category tree from a 
category entity that manages sard category tree; 

producing a notificaaon of the change in siate in ac- 
cord ince w«f en gate cm re- 
ceived 'rem the category entity and sending the pro- 
duced notification to at leas; an entity thai uses the 
so EKB capable of being processed trt the category 
tree in which the change in state has occurred. 

[0031] Irs the present invention, by usmg the encrypt- 
, t jo based on the hrerar 

«* cbica! tree structure rn which devices are assignee to 
leaves u f ar j i k as a ei 

cryptlon key of a content, an authentication key used in 
authentication or a program code is transmitted t< c : 
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er with an enabling key black, 
[0032] Furthermore, the data size of the enabling key 
b oct s redut n at inched ng 

t encrypted kt eating the 

keys, tk ny making it passible 5 
to perform dec . m-.s data is 

produced in an encrypted term that cm be decrypted 
only by an authorised device whereby the data is se- 
curely provided to the authorized device. 
[0033] Furttiermore. an enabling key block (EKS) is » 
produced so as el enerypte < as a that cap 
be decrypted ;n selected one or mere category trees 
'i, h,r 'f ( i a i r rjir 5 r 

any one of those joiy trees to js tee ee 

i Bis produced and man c<> 
aged in a highly efficient manner by using the EKS type 
definition list representing which EKB can be processed 
or decrypted in which category tree, 
[0034] A 

present inventior rm v sacornpu ?e 

let program in a computer readable form io a general- 
purpose computer system executable of various pro- 
gram cedes. The medium is net iirmied to a pedicular 
lype buSv'tii ypes i imp t storage 

medium such as a CD. FO, or MDors transmission me- » 
dium such as a network may be employed. 
[Q03S] The program storage medium defines a coop- 
erative relationship in structure or function tor realizing 
a function of a particular computet' program on a com- 
puter system, between the computer program and the 30 
storage madierr f - - «g a particular com- 
puter program onto a computer system vis a program 
storage medium, it Decomes nossible to achieve a co- 
operative operation on the computer system thereby 
achieving forte-ions similar to those achieved byfhe nth- ss 
er aspects of the present invention. 
[0036] n the f r e on the term "system" is 
used e teseribe itog f L l '' >f a plurality of de 
Vices, and it is nor necessarily required the; the plurality 
of devices ore disposed in a single case. *0 
[0037] These and ether objects and features of the 
present invention will become more apparent from the 
fo owing efailad r ( s wt n e 

erenceto the ai vp <ing do .vings 

45 

Brief Descriplion of the Drawings 



j ii r: st g an e> le ot an infer- x 

matron processing system according to the present 
invention. 

Fig £ is a block csiagram showing an example of e 
'he imcr 

matron process i ©present ss 

Fig 3 is a tree sirudure die n , ■ -, 

keys and a process of encrypting data used or per- 



formation processing system ac- 
cent invention, 

i pie of an erts 

[EKB; used to distribute various 



F^5smi< i, ;an i )f am; nnr ; 

of distributing a content key using an enabling key 
block (EKB) and m example of a decryption prcc- 
« rr 1 it ) c ! proc ' 3 y err < 

ing to the present invention 
Fig. 6 is a d r v » j fa forma 

of an enabling key block gEKBt used in the informa- 
tion processing system according to the present in- 
vention. 

Fg 7 is a diagram lli i * < s - < 1 gaoling 

keybiocK(FKS) u -se in >m 

system according to the present invention. 

Fig 8 is J i si , f of t data 

format usee to distribute an enabling key eiook 

(EKB) together with a content key and a content, in 

the prot 

Fig. e is a diagram sinewing an example of a process 
performed by a device n a case where an enabling 
key block EsE Jis i icr v h a con 

tent key and a content, in the processing system 
accoitfing to the present invention. 
Fig. 10 is a diagram showing correspondence be- 
tween an enabling key block (EKB) and a content 
for e case in which ao enabling key block (EKB) and 
contents are stored on a storage medium, in the in- 
formation processing system according to the 
present invention. 

Fig. 11 is diagram showing a process of distributing 
iconten ing an € olin yt < KB) st 3 
information processing system according to the 
present invention, wherein, for the purpose otcom- 

n te I ii Ji <■ osi ow 
Fig 12 is a dlagra - « js lulhentication se 
guence using a commc t kt\ 

t " t 1 the mi itio eessio 

tern according to the present invention. 
Fsg. 13 is a diagram showing (a first example oi; a 
riatafo vi^Li 11 1 it 11 

a i in ion key and an 

example of a process performed by a device , in the 
information processing system according fo she 
present invention. 

Fig, 1 4 is a diagram snowing (a second example of) 
1 1- ' r '1 1 2 ib f 

block (EKB) together wan an authentication key and 
an example ot a process performed by a device, in 
Vha information processing system according to the 
present Invention. 

Fig 15 is a diagram showing an authentication se- 
quence estng ? tcmn^t e 
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patfatme i in thy - eessing system ac- 
cording to the present invention. 
Fsg. 16 is a diagram shewing a process ot transmit- 
ting an ^ i: n ■ key Piock ;EK3i together wito a 
content key using authentication using a public key s 
cryptographic technique, in the processing system 
according So the presort: invention. 
Fig. ; 7 is a diagram shewing a process of transmit- 
t i - ;r with at 

encrypted program data, in the processing system re 
according to toe present invention 
Fig. 1 8 is a diag m showing a - a of 3 proc- 
ess oi producing an MAC value osari to produce an 
s r fCV'i. :n ;h nforn a 

■ ion processing system according to the present in- is 

rag. i \ f \ pi 

. ; - at used io transmit an enabling key block 
(SKB) together with an iCV generation say. in the 
informatson processing system according to the so 
present invention. 

Fsg. 20 is a diagram snowing (a second example of) 
a dsns tot ma; used to transmit an enabling key block 
i£KB) together with en iCV generation key, in the 
information processing system according to (no ss 
present invention. 

Fig. 21 is a c sgi im showing a r « < 

data from beh j c n ins g tfv check 

value fjCV) in a medium, m the information process- 
ing system according !o the present invention . 30 
Fig. 22 is a diagram showing a method of managing 
a content integrity check value (ICV) separately 
from a content storage medium, In the information 
processing sys ft i 

tbn. 35 
Fig. 2d rs a diagram showing an example of oste- 
on us • , , settee i s hierarchies 
trees-hectare, in the information processing system 
according to the present invention. 
Fig. 24 is diagram shewing a process of producing m 
a simplified enabling key block (EK3), in the infor- 
mation process: g system < ' r , ne present 
invention. 

Rg u5 s id' m ;f ra ng process of producing 
an enabling key block {2KB}, in the information -m 
processing system according to the present inven- 
tion. 

Fig. 26 is a diagtam showing a (first example of) 
simp'fftrjor ^ i < ~<3) uted in !f^e -n 

i ing systen accm ng t fit so 
present invention. 

F q 27 in < ample of) 

i - - - iseci in tf a v 
tcmnattori processing system according to the 

F;g. 28 is a diagram showing a manner of managing 
jor/ire n a hi i i rstructureln the 
information processing system according ic tne 



f river tion 

Rg. 29 Is a diagram showing the detailed manner 
of managing category trees in a hierarchical tree 

cording to the present invention. 
Rg. 30 is a diag let of managing 

ct logon a -of in a hi era turn np e 

information processing system according to the 
present invention. 

fig 31 is a a-agram showing a reserved node used 
in management ca srytres a nerat hies tee 
structure, In the ir r ? sj s e < 

the. 32 Is a diagram snowing a new category tree 
registral » j* : i ma jement gory 
trees in a hierarchical tree structure, in the informa- 
tion processing system according lo the present in- 
vention. 

Fig 33 is a diagram showing She relationship be- 
tween a new category tree and a higher-level cate- 
gory tree in - r igemerri ■: c tieg a, trees in a hi- 
erarchical time structure, in the information orocess- 

Rg. 34 is a diagram showing a sub-EKB used In 
management of category trees having a hierarchy 
cal tree structure, in the information processing sys- 
tem according to the present invention. 
Fig. 35 is a diagram showing a device revocation 
process performed in management of category 
frees having a hierarchical tree structure, itt the in- 
formation processing system according to the 
present invention. 

Rg. 36 is a diagram showing a device revocation 
sequence performed In management oi category 
trees having a hierarchical tree structure, in the in- 
formation processing system according to the 
present invention. 

Fig 37 is a diagram showing a seo-EKB renewed 
in response to device revocafioi ims.iiagsmt 

y trees noWrig - a he t t > 
in t i i i x ' j v r - r <s 

tfie present invention. 

Rg. 38 is a diagram snowing a category tree revo- 
cation process performed in management ot cate- 
gory trees m She Form of a hierarchical tree structure, 
in the information processing system according to 
the present invention. 

F=g. 39 is a diagra hew t n, res mv. 

jory > i it m ? hierarchical tree sin 
tore i m iform it en ft cecrc 
ing he pa i i . 

Fig ao is a diagram .showing the relationship be- 
tween a revoked category tree and a higher-level 
category 1 i 
the form of a hierarchic a! tree structure, :nthe infor- 
mation processing system according to the present 
invention. 
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Fig 41 is a diagram showing selling of capabilities 
in management of category trees in the form of a 
hierarchies! tree structure, in the information 
processing system according jo the present inven- 
tion 

Fig. 42 is a diag j g of capaottities 

in management of category twos in me form of a 
hierarchfeai tree structure, in trie information 
f c essir s r g iotbe r. -m ii i 

tion. 

Fig. 43 is. a diagram snowing a capability manage- 
ment labia managed by a key distribution center 
(KDC)intnc "'i i i a sing system accord 
mgio the present invention. 
Fig. 44 is a flow chart of a process of producing an 
EKB or as t. ? , t ; sgem« able 
managed by a key distribution center (KQC; in the 
i aeeording -o the 

present invention. 

Fin -55 :s a diagram showing a capability notification 
process performed when a new category tree is reg- 
isters i ir tne information process op system ac- 
cording to the present invention. 
Fig. 46 is a diegra itegory trees ed 

in the tntofmstk 

the present invention. 

Fig. 47 is. a diagram owing ng if process- 
es performed among an EKB requested a key dis- 
tribution centos, anc' a fop-feve! category entity 
iTLCEt., in the information processing system ac- 
cording to the present invention. 
Fig. 48 is a diagram showing an example of hard- 
ware configurations of an EKB requester, a key dis- 
liibution center., and a top-level category entire/ 
(TLCfr), in the information processing system ac- 
cording to the present invention. 
Fig. 49 is a diagram showing device node key (ONK) 
set held by a device in the information processing 
system according to the present invention. 
Fig. 50 is a diagram snowing a data formal of an 
EKB type definition fist used in the information 
processing system according to tne present inven- 
tion. 

Ftg. 51 is a flow ctt e rr EH ' 

Fig. > is a flow chart ot an EK'3 type revocation 
process p<~ 1 rra n the informs | 

Fsg. 53 is a flow chart of a tree change notification 
process performed m the information processing 
sysfern according to the present invention. 
Fig. 54 is a flow chart of an EKB type list requesting 
ptocess performed in ihe information processing 
a sten aecordtr I men ion 

Fig. 55 is a diagram showing an sub-EK8 produc- 
tion process performed n the ■■■ formation process- 
ing system according : " tne present invention 



|. 5t i ! < < 

Bon process performed in the information process- 
ing system j t nventton 
5?t,i 1 ' » s >. , pro as of producing 
a an EK5 o •' jsub-B & in tl format 
processit esent mvet 
tion 

Fa 5E s a diag am howingapn ; 

a snb-FKB in a situation in which there is a device 
» to be revoked, in the information processing system 

according to -he present invention. 

Fig. 59 is a diagram showing a process of producing 

an EKB by combining sab-FKB's in a siination in 

which there is a device to be revoked, in fire infer 
a; mation processing system according to the present 

invention 

f j fat sad ag am now t 1 of acorn 

bined EK8 produced from sub-EKS's used in ids 
information < am according to the 

so present invention. 

F;g. 6 1 is a ciagtam showing a data format of a com- 
bined EKB produced from sub-FKS's used in the 
information processing system according to the 
present invention. 

as Fig. 62 :S a diagram showing a data format of a corn- 
It E vhlc • □ from sob EKB's in a 
situation in whtoh mere is a device fo be revoked, 
in the information processing system according to 
the present invention. 

30 Ftg. 83 is a diagram showing a revocation process 
in data distribution system in ihe information 
processing system according to the present inven- 
tion. 

Fig. 64 is a diagram showing a revocation process 
35 in a i . rci tg si - ic ir o r? it - p ;e ing 
system according to the present invention. 

Besl abode for Carrying Out tne Invention 

*o (Outline of system] 

fGOSSj Fig. 1 illustrates an example- of a content dis- 
tribution system eased on tin information processing 
system a<x n trventon A device on 

45 a content transmission side 1 0 transmits a content or a 
content key in an encrypted farm to various devices on 
a content reception side 20 A device on the reception 
side 20 plays back video data or audio data or executes 

so by decry o* content or er- 

crypted content key Transmission of data between the 
content transmission side fO and the content reception 
side JO is perfom I via a netwek sue »st i 
c via a 

ss a CD. 

[0040J Specific examples of transmission means 
used on the content transmission side 10 include the 
internet n, sa i ephotw n 
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13 and a iridium 14 such as a DVD or CD. Specific 
examples of devices on the content reception side 20 
include a pers i s pui (PC} 21 a portable com 
putet (PD) 22. 3 portable device 23 such as a portable 
t [ is ants) -i e 

r , n ? ) i u I- j/U > 

er of a CD p . K device 25 such as s 

game terminal. The devices on ins content reception 
side 20 can acquire a cement transmitted from the con- 
tent transmission sice 10 via communication means 
such as a network or vis a medium 30 

(Device Configuration] 

[0041] Fig. 2 is a block diagram illustrating a configu- 
ration of a c t c >pa is 10G that i 
an example of devices on the content reception side 20 
shown n Fiti 1 The rsoordi - ng appara us 
100 includes an input/output interface 120, an MPEG 
(Moving Picture Experts Group) codec 130, an Input/ 
)uipet interlace 10 mending > o [j/A convert;;) 
141, cryptography means ISO. a ROM {Read Only 
Memory) 180, a CPU (Central Processing Unit) 170, a 
memory 1 80, and a drive 1 90 for driving a storage me- 
dium 1 86, wherein mass parts are connected to each 
other via a bus 110. 

[Q042J The input/output interface 1 20 receives a dig- 
pal i ' 1 ig a content such as video data, 
audio data, or a program provided from the outside and 
outputs the received digital signal over the bus 110. The 
input/output interlace 120 also receives a distal signal 
via the bus 110 and outputs the received digital signal 
to the outside. The MPEG codec 130 MPEG-decodes 
ted data supplied via - i - its 



forming the cryptography means 150 using software wilt 
be described later 

[0044] "hop i/11 si lata used bythe 

recording reo < i i - jtus Tht CPU 170 con - 



140. The MPEG coded 130 also MPEG- encodes ft diet- 
1 ' ig> uppiiecl Irom tht ip output internal 1C 
and outputs tne resultant encoded signal over the bus 
1 1 0. The Input/output interface 140 Includes the A/0 and 
D/A converter 141, The input/output interface 140 re- 
ceiv s ice; ent if) 

outside and converts it into digital: form using the A/D 
and D/A converter 141 The resultant digital signal is 
oufpunothe MPEG codec 130 Conversely, if the input/ 
output interlace 140 receives a j g signal horn tea 
MPEG codec 130, the inpaf/onipu; Interface 140 con- 
certs it Int - J/Aconvertet 
141 and outp I ; signa to he i 



tne cryptography means 1 50 by executing the program 
stored in the ROM 160 or the memory 130 Tne memory 
130 may be realised using, tor example, a nonvolatile 
mommy so as to serve to store the program executed 
by the GPU 1 70 or date used by ihe C PU 1 70 Key seis 
used in i he em , p rmedby 

the device aie also stored in the memory 180. The key 
sets wit! be described later The drive 1 90 reads (repro- 
d i as jit ii m 103 oi d \ 

ing the storage medium 105 capable of storing and re- 
producing digital data, and the drive 190 outputs the 
read digital data over the 1 1 0 < o 
is received via the Pus H O, the drive 190 supplies she 
received data to the storage medium i 35 so that the dig- 
ital data Is stored onto the storage medium 195. 
{0045] The storage medium 1 95 is a medium capable 
of storing digital d i s t 3 r 

elude an optical disk such as a DVD or a CD. a rnagne- 
foootiCt-l disk, a magnetic disk a magnetic trine, or a 



ragei 



svaolyr 



. t | 0 i 



age medium 105 may &e disposed :o 
the tecordicg/moroducing apoatetus 100. 
■so [00461 The cryptography means 160 shown in Fig. 2 
may be realized using a one-chip LSI or using software 
or a combination of software and hardware. 

st ton k s on the basis of tree structure] 

[0047] A manner of assigning an encryption key to 
each device and s manner of distribution data are do- 
1 encrypted date is 



scribed below 
transmitted iro; 
to a device on the reception side 20 shown :n Pig. -, 
{0048] In Fig 3, numbers from 0 to 15 at me bottom 
deno f sooth - nside 

20. That is, leaves in the hierarchical tree structure 
shewn in F g a t , , • e devices 
[0049] When devices 0 to 1 S ate produced or shipped, 
or at amp ' 0 > 1 > + s -t - », s, a . hi qtos 



a Oevn 



e aeys 



0 to rc 



[0043] hecryp ,mi ms 1 50 is term? dot foi 

example, a one-chip LSI (Large Scale Integrated C:r- 
lit) so s to serve ii - d > md a digrto con 
tent signal supplied via the bus 110 and also serve to 
perform authentication, Ihe resultant encrypted/de- 
crypted data is output over the bus 1 1 0, The cryptogra- 
phy means 150 may be resided not only using a one- 
chip i. 31 bii! may also bo ) were or a com 
bination olsote-va; ificm nnerof 



cal r t 1 At i '4 - vt< '< it . a1 

device. K000O to Kim shown at the bottom of Fig. 3 
denote eal key ssig i ive devices 0 

to 1 5, artd KRto Kf 1 1 at levels from the top to the second 
level as counted from the bottom denote node keys. 
[0050] In 



pie, i 



a a 



y K00OC 



K000, K00. KO. and KR Similarly, a device 5 has KOI 01 , 
K01 0, K0 1 . KO, and KR, Similarly, a device 5 has K.01 0 1 , 
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K01Q, KOI, KO, and KR, and a device 15 has K1111. 
M' M K11 K* andKR AH c example 

shown in Fig. 3. the tree ' r / sixteen devices 
0 to 15 and ihe tree has a symmetric four-ievel structure, 
he tree may it i devices r-on 

may have a different number of levels ether than 4 
[0051] Each device in the tree structure shown in Rg. 
3 maybe of various types which may use various types 
of storage media such as a storage device fixedly dis- 
posed tr a device c e necfli fsugI 
as a DVD, a CD, an wd, or a flash memory. Further- 
mote, various types of application services maybe pro- 
vided via this Th a n rarehai rot 
structure for use m distribution of contents or content 
keys, such as that shown in Fig. 3, is formed sc as to 
adapt to such various types devices and various sypes 
applications. 

[OOS23 n is i us t various typeset cte 

vices anc s bet of a s 

property grouped. For example m Fig. 3. a part en- 
closed by a dotted Hne is set as one group including cre- 
vices 0, 1.2. and 3. which use the same type of storage 
medium, For the devsc-es included in this group enclosed 
by the dotted line, a common content in an encrypted 
term may be transmitted at the same time from a pro- 
vider or a content key thai can be used by til devices 
in She group may be transmitted. Faun device in the 
group transmits center*! payment data t'n an encrypted 
form to a provider or a clearance institution. When con- 
tent providers or institutions such as a clearance insti- 
t data 

at the same time to all devices 0,1,2, and 3 in the group 
i i i-ns in Pig. 3 "'he tret rowr ir 

Fig. 3 may include a p t es Content 

providers or institutions such as a clearance institution 
which transmit and receive data to and from devices, 

t ; i : ts 
[0053] All node keys and leaf keys may ae managed 
in a unified fashion by one key management center w 
node keys and leaf keys may be managed on a group- 
by-gtoup basis by message data distribution moans 
such as providers or clearance institutions that transmit 
and receive data to and from: the respective groups. In 
a case where secrecy of a key is broken, node keys a nd 
feat keys are renewed by the key management center. 



[Q0S4] ir 

from Rg ■ 



nan 



i K0 a 



as a ^sui o f = hat evices 3 

1 . 2, and 3 via a network or a storage medium . then only 
the devices 0, 1,2. and 3 can acquire the content key 
Ku ;t by deer brig ( iiue Ft ci <C 

Keonj using tti ,..-.><-. held in common 
by these devices. Herein, bne(Ka, Kb! denotes date that 



KR 



Use ot sue* comm makes it possible fj 

provide, for example, a common content fey only to the 
devices 0, 1 . 2. and 3. For exampte. if the node key KOO 
that are held by ail devices 0.1,2, and 3 is employed 
as a content key, fi is possible to provide the content key 
that can be used in common only by the devices 0, 1,2, 
and 3, without necessitating an additional key transmis- 
sion process, if a content key Kcon is encrypted using 
the noee key KOO and a value EncfKCO, Keen) obtained 



e ct>tai! 



cryni 



<! Kb i 



g Ka. 



[0055] At a scan t , irn tth eys 

K0011 , K001, K0C. Kt>, andKR held by the devices have 
been amoved by a hacker and secrecy of the key has 
been broken, it is needed to Isolate the device 3 from 
the system to protect data transmitted or received In the 
system {group including trie novices 0. t . 2. and 3). For 



tngeihe oodeke 
K(t)001 , KttjOO. 



-sKOdl 



rs KOO. K0, and KR to 

(t}R and transmit the new keys to the devices 0, 1 , and 
2. Herein, K(t)aaa deaetss a renewed key of generation 
of t obtained by renewing a key Kaaa. 
[0056} Distribution of renewed keys is described be- 
so few. Renewal of keys is achieved by supplying a table 
representing biock data caned an enabling key dock 
(EK8) such as that shown in Fig. 4(A) to the devices 0, 
f , and 2 via a netvvo ; k or a storage medium. The ena- 
bling key block d.-K.3t includes encrypted new keys to 

2s be distributed to devices corresponding to leaves in the 
tree structure shown in Fig, 3. The enabling key block 
(EK8) is also called a key renewal block (KRB). 
[0057} The enabling key biock (EKB) shown in Fig. 4 
(A) includes biock data that can be used tor renewal ot 

-to keys oniy by devices that need renewal of node keys. 
In the specific example shown in Fay 4, the block data 
is produced foritte purpose of distributing renewed node 
keys of generation o! t to the devices 0, 1 , and 2 in the 
Aj^Kt o«si-*e tt o t F:g. 

35 s, the devices 0 and 1 need K(!}00, K(t)C. and K(t)R as 
renewed node keys, and the device 2 needs K(t}001 , K 
ti'jOO, K{t)0, and Kii}& as renewed node keys. 
[0058] As can be seen from Fig. 4(A), the EKB in- 
cludes a plurality of encrypted keys. An encrypted key 

*0 EnciKOOtO. K(f)O01) described at the bottom is pro- 
duced by encrypting renewed node key KiijOCt oy the 
leaf key K0C-1 0 held oy the device 2. and thus the oeu;ee 
-tr i s c Jirethe eat m r t 31 c> decryp 

ing EnctKOO J 0, Ktt too t ) using the leaf key of the device 
2. Ustnp this renewed node key K{t)0C1 obtained via de- 
cryption, an encrypted key F.nc(K(i}001, K(t)0O) in the 
second row as counted from the bottom m Fig 4(A) can 
be 'm„ r yt- ed it the nev key KrOOO Sim 

lariy, an encrt ad key FnofKin}! K 0} in the second 

so row as counted from the top in Fig 4(A) can be decrypt- 
ed into th© renewed node key K(t)0. and an encrypted 
key EneiKipO. K;i)F0 a: the top in Fig. 4iA) can be de- 
crypted into K(t)R. On the other hand for the devices 
K0000 and K00C1 . the node key K000 Is not needed to 

ss renew, and* na, KttjO araK 



(kirn a: 



s KOOOC 



devices KOO0O and K0001 acquire K(t)00 by decrypting 
an encrypted key Er - tOOjai he third owes 
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counted front the top in Fig 4{A) and acquire the re- 
newed nede ;ey K 

£nc(K(;iOO. K ] A - f t tC0 f < 1 

She sop in Fig. 4(A). Furthermore, Ku}R is acquired by 
decrypting tee encrypted keyEoc(K(t)0. K(t)R} at tee top 
irt Tie. 4(A). in mis way, the devices 0, 1. and 2 can ac- 
quire tee renewed Koy K{t}R in Fig 4(A). indexes indi- 
cate lee absolute addresses of tee node keys end teal 
keys, used as decryption keys 
[0059] in a case where the node keys KdjO and K£t} 
P > ligt sve cture rteo >, n Fir, ' e 

not needed to renew, bet only the nede key K00 is need- 
ed to renew, the enacting key block (EKB) may be 
exerted such; i , „ y the renewed 

node *ey k 
and 2. 

[0060] The EX8 shown in Fig. 4(B) may foe used to 
distribute a new content key to be used in common by 
a particular group. For example, let us assume the; tee 
dei ices 0 ' 2 J u i 1 d by the doits 

itne in Fig. 3 use a particular type of storage media and 
that a new common content key K(j)con is needed. lr< 
this case, She renewed content key K(t}con for use in 
common is encrypted osi J (t ineri by renew- 

ing tha node key KOO used in common by the devices 
0.1,2, and 3 w>d result ' 5ncr> ed da Enc(K{t) K 
(t)ccn) is distributed together with She 8KB shown in Fig 
4(3) Th® method of distribution allows data to be tes- 
tebutod a it ,'tn, ! ,ji , out cannot do decrypt- 
ed by the other devices such as a device 4. 
[0061] That is. tee devices u. 1, and 2 can acquire the 
canton! key K(t)ccn that is valid at She point of timet by 
t o\,o t-sirg K 
ittOO mat can be obtained by processing the EK3. 

{Distribution of Content Key using EKB] 

[0062] Fig. 5 iliustrmes a specific example of a proc- 
ess performed by tee device 0 to obtain the content say 
K{t}con which is valid at the point of time t from the data 
Eae<K{f}00.. Kfiteon}. which has been produced by en- 
crypt inc the new common content key K.ttjc.on using K 
(t)00 and supplied together with ike EKB snows in Fig 
4(B) to the device 0 via a storage medium. In this case, 
cuit it- j i encrypted b> 

the FK8. 

[0083] As shown in Fig . 6, the device 0 produces the 
node- key Kit) ^ C<3 t genera- 

't S' > S' -i I r , 1 1 H 1 ii 

key KOOO, which is already hete by the cievice 0, in a 
similar manner as described above. Thereafter, the re- 
ewe (content Key I c tteans of aa 
cryption using the renewed node key K(f)00 Further- 
mcrypiediis 

log the lea; key K0G00 helot only by the device 0 so that 
She content key Kftteon can be used at any time there- 
after. 



| Formal of EK8J 

[0064] Fig. 6 • -pa ot t re mat of an en 
sbfint) key Mock (EKB). A version 601 is an identifier 

s indicating the version of She enabling key block (EKB). 

The version serves not only to ide i< i wes EKB 

but aisc o ] < ondence with confer s 

The depth indicates the number of layers of a hierarchi- 
cal tree of devices to which his- enabling key block < EKB) 

"c is distributed A data pointer 803 points to a location of 
data field in tl - 8} A tag point* 

604 points to a location ol a tag field, and a signature 
pointer 605 points to a location of a signature 
J0Q65J The date field 60S is used to store encrypted 

; s data seen as a renewed nede sev her example, data of 
encrypted keys associated with a renewed node key, 
such as that shown in Fig. 6, Is stored in the data field 
{0066] The tag field 607 is used to store tags indicat- 
ing the locations of the encrypted node keys and leaf 

so key stored in the data field. The rule of determining the 
tags is described below with reference to Fig. 7, in a 
specific example shown in Fig. 7, the enabling key block 
i t with fefstence to Fig 4(A) is 

transmitted as the data. A tabic fb) in Fig ? shows the 

on data that ;s transmitted in this specific example. He rem. 
the address of a top node in the encrypted keys is re- 
s sse because 

6 renewed root key K(t}R ss included m the encrypted 
keys, the top node address becomes KR. The data Enc 

so (K(i)G. KTiRi at the top correspond to a location of the 
hierarchical tree shown in (a) ol Fig. 7. The location in 
(he hieralical tree for the next data E-nc(K(t}00. KfiJO) is 
lower left to the location of the previous data. When 
there is data, She tag is set So 0, white the tag is set to 1 

35 when there is no ate T ! sented in the term 

of {l-tag, R-tagj. wherein l tag denotes a left tag and 
R -tag J ion s a right tag ;as the data Enc(K 
(t)0, K(t)R) in the top row. motets data to the left thereof, 
and thus the l-tag is sef re 0. while the Fhtag is set to 1 

*e because thee is no data to the right thereof. Tigs tire 
set tor ail data in a similar manner. As a result, a se- 
quence of data and a sequence ot rags are produced as 
shown in Fig. 7(c) 

[0067] The idrcate the xafions of data Enc 
4S (Kxxx, Km) »» tree structure. Key date EnctJOooc, 

encrypted keys, and thus the tags are used So indicate 
the locations, in the tree of enervated keys stored in the 
dateffefd instead of using tee tags, the locations in the 
.50 fret may 1 le indexes to 

corresponds j rlbed earlier with 

reference to Fig. 4 More specifically, the node indexes 
may be added as follows. 

O; Enc {KinO. K(t)t'OOt) 
00: Eric (K(t)CO, K{t)0) 
000 : Enc (K ({t) 000, K (T) 00} 



ss 
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a so a sul s n redun- 

dancy in the dais, and thus a greater data size is needed 
to describe the data, which is onees-abie in transmis- 

i n - s suret 

index dais indicating the ideations of keys, the ideations 
of keys can be indicated - -naifej datasize. 

[0088] Referring back to Fig 6, the format of EKB is 
described further. A signature is a digital signature writ- 
1 ' f y " <a> r - rt COr set pmv be i 

a clearat e sfit whicf i« ssued the enabling 
key bioci< fEKB). When a device receives the EKB. me 
device venues ike ^nature to cieteimine whether the 
j i i 1 k {EKS} is a correct one is- 
sued by an authored sr feting ke; >lock EKB; issuer 

• a r j t tent using at 

EKB] 

[0069] in me e « smj e described above only the eon- 
tent key \ it 
encrypted using a content key may also be transmitted 

- ' ' ' ' , f'Ptd 

key encryptk i a content key er crypto i key 
e icryp so using a s ass Cod he ov> 

[0070] Rg. 3 shows & data formal used forms present 
purpose, in she data format shown in Fig. 8(a). Enc 
(Kcon. content) 801 denotes data produced by encrypt- 

key(kCOn) EnC{KEK 

Kcon} 802 is data p educed by one ' ie c 
key (Keen) u i sy micryptlon Key (KEK). 

- EKi [ lata p educed i yent ryp 

ing the content key encryption key KEK using the ena- 
bling ksy block (EKB). 

[0071] Herein, me node key (KGQO, KOO,...) shown ie 
Fig 3 otdhe toot key (KFi < iasths m 

tent key encryption key KEK, or a key encrypted using 
the node key tXOOO. KOO. } or the root key (KB) may 
be employed, 

[0072] Fig. 8(b) shows a data format that may be used 
when s plurality of contents are stored on a medium, 
er^ i cot lent esetfi n i 
KEK) 8'- t ties case da ting to En* (EKB KEK) 
r a i 1 1 !t o instead of add 

ing the same EncfEKB KEK; to the respective content 
data. 

[0073] Fig. & shows an example In which the content 
keyencryphor - - i « as enew« nodi 
key Kt'DOO to be used instead of the nose key KOO shown 
in Rg, 3. in She ease where the device 3 in the group 
enclosed by the dotted Sine in Fig. 3 has been revoked 
because of exposure cf secrecy of a key, rf the enabling 
key biock (EKB) shown in Fig 9(a). data produced by 
encrypting the ceo tent Key (Kcon) esmg the content key 
enerypbon key (KEK * KittCOi shown m Pig. 9(b), and 
data produced by encrypting the content using tne con- 
t ' • - 

group, that is, to the devises 0. 1 . and 2 . the devices P. 
1 , and 2 can acquire the content. 



[0074] A dee /ption j d by the cN 

vice 0 is shown on the right-hand side of Fig. p. First, 
the device 0 acquires the content key decryption key 
(KEK = K(t)00) from the received enabling key biock by 

s performing | io iibeteafkey K0O0 

held by the device o The device 0 then acquires the 
content key Kcon by means of decryption using K(t)O0 
and finals/ acquires toe content by means of decryption 
using the content key Kcon. Thus, the device 0 can ob- 

» lain the content. Siffliterfy, the devices 1 and 2 can ac- 
cuse the content key encryption key (KEK „ K(t}00) by 
processing the EKB acceedtng to their own procedures 
and can ferine:' acquire tne content 
[0075] Even 8 the devices 4, 6, 8, and so on of she 

as other groups shown in Fig, 3 received similar data 
(EKB). they cannot acquire the center;: key encryption 
key (KEK <(t) tsmgtl eat Keys or node keys held 
by them. T be revoked device 3 can also not acquire the 
content key er EK Kft^P) tsinej the tea 1 

oo key or node keys he=d by toe device 3 Thus, only ttte 
authorized devices can decrypt the content and can use 
the decrypted content. 
(0076] 

s ii possible to 

;t* securely d stnbute in c terypted content using a small 
amjoit of a 3d (sets can lit. 

crypt the encrypted content. 
[0077 feed above, the em elmg 

key biock (EKB), the content key. and the encrypted 

30 content, are securely distributed via the network. Alter- 
natively, the enabling key block (EKB). the content key, 
and the encrypted content, may be stored on a storage 
medium such as a DVD or a CO and the storage medium: 
may oe supplied to a user thereby providing ttte enabling 

35 block (EKI i at key. and the en r \ptt 3 

content to the user, in ties case, it the encrypted content 
• 1 k (EKB) are :1c. ax. on the 

s.ames;crsg< ne< imsc ? ed content can 

bedecp/pted using the content keythatcan be obtained 

-m bydeciyp ing i > j r ,o > t KB) i! is possible 
to reaii/o a simple content distribution system thai al- 
lows only limited authorized user devices to use a dls- 
frit rted " i or j /pting it us ng a feat 

key or node keys held by tha user devices 

'■'5 [0078] Fig. 1 0 shows an example in which encrypted 
contents and enabling key blocks (EKB) are- stored to- 
gether on a storage medium, in ties specific example 
shown m Fig. 10, contents C t toC4 are stereo on a stor- 

so between the respective contents and enabling key 
blocks (EKB) is stored on the same storage medium, 
and furthermore an enabling key stock o! version M 
(EKBJU) is also stored. For example, EKBJ is used to 
produ ntent f n uvr r enr 

as tent CI , and EKB 2 ■$ usee to produce a content key 
Koon2 used to encrypt ttie content C2. In this example, 
because th sl version M 

is stored on the storage m r a 1 
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tents Z: and C4 c t _ block 
(EKB_M), i; is possible so acquire the consent key for the 

EKB..2 are net stored on the disk, 8 is needed to acquire 
them via another means such as a network cemmum- 
U ;r o f - „ r > yf thcc">r cm 

keys CI and 

[0079] Fig. 11 shows a comparison between a proc- 
ess of distributing a comers key using -in F.K3 and 6 
process ct t, sit jat-ng a ntent key accord to me 
conventional technique. ;"cr a case in which the content 
keys are dk \ j a i > , "Vi^ The 

cot /ent r 5 1 own in ho coo v farm 

(a) of Fig 11 tnd ho toe n 3 enabling key 

block (EKB) accotding to too present invention is shown 
in tde lower half area ib) of Pig. 1 1 . Irs Fig. 11 , Ka(Kb) 
denotes; Cain produced by encrypting Kb using Kn 
[0080] inline nvsnt to ique as shown in 3) 
authentication and key exchange (AKE) are pertonned 
between levicest 1 3 ir itet tiv ig 

devices, are authorized devices and to produce a ses- 
sion key Kses to bo used In common oy both devices, 
if and only if the authentication is successfully passed, 
a content key Kcon is encrypted using the session key 
Ksos ^ u ! 0 j < j ' data Is irat srnit no 
[Q0S1] For example, a PC shewn m Fig. 11 (a) can ac- 
quire Kcon by decrypting encrypted content Key Kses 
(Keen) using a received session Kay. Furthermore, the 
PC can encrypt the acquired content key Kcon using a 
storage key Kstr hold by tho PC and store resultant en- 
crypted data imo a memory of ;ne PC. 
[0082] in Fig. 11(a), even in a case where a content 
provides wants to transmit data such that only a storage 
device 1101 shown in Fig 11 {3} can use the data, if there 
are a PC and a playbac k the orient 

provider and the storage device 1101 . it is needed to 
perfc » in Fig j) at i t er 

transmit a content key encrypted using a session key. 
in this case the PC ndth I <;s!in; 

between hetnea 1 acquire the cor < 
the enciypted content key using the session key pro- 
duced via inn 1 1 - process arid acquired by 
the PC and tins playback apparatus. 
[0083] On the oihei hand, it; the example shown in 
the lower half area ten of Fig 11 in which a content pro- 

t 1 1 t n on nj y i m id 
(Kfoo-fKcon; in tho specific example shown in Fig, 11 
(h)) reduced by 1 at u ntenf key Kcon using a 
node key or a root key that is obtained by processing 
le enabling k EKE nlya dev ce s-<a ch can 

l i oe' on do rypi » o 
&C Q U :re intent key Kcon 

[0084] heiotem • i cnabkng key biock (EKB) is 
u a device lo 

catec en the rignt end in Fig 11(b). arid if the enabling 
key block EK wit i data pro- 

duced by encrypting a content key Kcon using a node 



key or a root key hint can be obtained by processing the 
EKB. a device such as a PC or a playback apparatus 
existing between the oco e eviceon 

the right end canm process t j s q tt 0 0. key 

l l rot ft - t, . - s 

key 8tat can be used only an authorised device without 
r.m SSSi t ir 3 a ;u s t r 4 d 

ceivsng devices., such as authentication, production of a 
to session key. and encryj it my k n us- 

ing the session key, 

poeSl When ft is desired to transmit a content key 
such that it can also no used by the PC and the playback 
pparatu m enafc > Kb p r 0 

■ 5 such hat can j oc by any hese devices 

which should bo allowed to use the content key. and if 
f 0 est ta it EKB is t ' esc ie\ ce can 

acquire the content key, 

oo (Distribution of an authentication key using an enabling 
Key block (EKB) (by means of common key 
cryptography)! 

[0086] in tho distribution of data era key using an on- 
es adding key block (EKB) according to the above-de- 
scribed technique, 1 < • - ■ f- KB) and the 
c j -t ey that aretrs mih >e between 
devices are encrypted into the same form. Therefore, 
' ity that an unau not zed cop;; it n ide 
■so by a so-called replay attack technique in which data is 
stolen and recorded by tapping a data transmission line 
and the recorded data is transferred later. To prevent 
1 - zed manner, it is 
effective to perform authentication and key exchange as 
35 in the conventionai technique. Thus, hereto, a technique 
is disclosed in which an authentication key Kake used 
11 uttieritlonh , -sge is transmitted to a 
device, using an enabling key clock (EKB) according lo 
ths aorvr dc t n sb\ allow iq the 
*0 common authentication key to bo used as a secure se- 
cret key arid thus illow \ 1 atior o .a per 
formed seconding to the common key cryptography 
technique. That is, in this technique, the authentication 
- ano icrypted by an 

4S EKB, 

[0067] Fig 12 shows a mutual .authentloatior; method 

{0088! in fte example shown in Fig. 12, a common 
so key cryptography technique based on the OES is em- 
ployed, another stmiter common key cryptography tech- 
nique may also do employee in Fig ;2, a device 3 first 
generates a 6.4-bit random number Ro one transmits 
Hb tcged er i D(bi of the dewce B to 

ss a device A In 2 )on s ving Rt md ID(b) the 
device A generates a 54-bit random number Ra and en- 
crypts Ra Rh, an t | 1 . b in the CBC 
mode et the DES, in the order of Ra, fib. and iO(b» The 
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resultant encrypted data is returned to the device B. 
Herein, the k-ey Kab is a key that =s used as a secret key 
in common by - svics - id 8 I that is stored m 
s storage device of each of the devices A and S. The 
encryption using the key Kab in me CBC mode of ine 

ES may be t i he process using 

the DES the - • *reon the initial value and 

Ra is calculated and the result is encrypted by the DES 
encryption un* using a Key Kab thereby obtaining en- 

ypts , dr > , ~ heexc i between El sno Rt 

- ' cm© re si act by the DES en 
t /ptio ' „ i >tai i J si 

crynteri data fin Rirttierroore. the exclusive OR be- 
tween the encrypted data E3 and 10{b) is calculated, 
andtheresu s encnyt the 0 S encryption unit 

i sin jtti O y k < , Mb iati E3 

The obtained encrypted data El tc E3 (Token-AB) are 
transmitted. 

[C 189 j 

device B decry a 1 the key Kat 

{authentication key} as the secret key used in common. 
More specifics - - of the received data is 
performed as follows. First, the encrypted data E1 is de- 
fy <rtc to nbtatr tne 
random value Ra. Thereafter, the encrypted data Eki is 
decrypted using the authentication key Kab. Rb Is ob- 
tained by calculating exclusive OR between the result- 
ant decrypted data and E1 . Finally, the encrypted data 
E3 Is dt yp d sing 1 i hcntieat key Kab. an 
exclusive OR between the msuOmt deorypied data and 
E2 is calculated: to obtain 10(b). Of Ra ; Rb, and iQ(b} 
obtained via the above process, Rb and ID(b) are com- 
pared with th o- , ■ t - < v co B to verify 
whether they as« identical. If the vetilicat:on is success- 
fully passed, the device B determines that the device A 
is an authorized device. 

[0090] Thereafter, the aevlee B <jenerates ;» session 

key Kses) wnich will be used abet- tne authentication 

(the session key Kses is generated using a random 

uimbe Rb R i tnd sses e ~ c > i 

using the i r sab in th: CBC mode f 

the DES end transmitted to the device A 

[Q0S1] Upon } T i i 'i A decrypts 

the received data using the autneritieacon key Kab. The 

decrypt n pet by < svfce B. and thus it is not 

described m farther detail herein. Thus, Rb. Ra and 
Kses ere sbtamed. and Rb and Ra are compared von 

verifk iioe :s s , sst i th dex e A ie 

viceB tevice n com- 

munication performed after me mutual authentication 
-as been s x iiy he session key Kses is 

used to secure ihe secrecy 

[0092] in the case where the received data Is deter- 
mined as being invalid u the above-described verifica- 
tion, the mat ,a , ■ r rt 1 he process is 
terminated. 



10033] 'it 1 . • 

the authentication key Kab is used in common by both 
devices A and B. This common key Kao is transmitted 
to the dov e 
s mqi e using a 1 ' bines (EKB). 

[0094] Mores - « pie shown in Fig 

12, one of dvv s ts X met B or dt ss an enat , < 
block (EKB) such that a can be decrypted by the other 
device and sa 1 < ther encrypts tl* at 

re thertiication key Kab using the produced en tc hey 
block (KE8 ' cryp sddata 

to the cthe devir atie - a third party may p«: 
ice an en be used by 

both devices A and B. and may transmit art authenttca- 

m tion key Kab en r sp ced enabling key 

block (EKB) fo the devices A and B. 
[0095] Figs. 13 and 14 show examples of processes 
of transmitting a common authentication key Kake to a 
plurality of devices by means of the technique using an 

S'O ena ink*-, » I ? shown in f g 

13, an authentication key Kake that can be decrypted 
by devices b. 0 2, and 3 is transmitted to these devices 

i >> ■ e showr g. 14. of devices 0. 1,2,3 
the device 3 is revoked, and an authentication key thai 

» cart be decrypted only by devices 0.1,2 is transmitted. 
[0096] In the example shown in Fig 1 3, data it) prc- 
i i r 1 t a Kake 

renevve node key Kt'f)00 is trs heryeft 
an enabling key bl »* B <B f educed - uch that the re- 

■so newed node key K(t)C0 can be obtained by decrypting 
the EKB usine- node keys and leal keys held by the re- 
spective devices 0. 1 . 2, and 3, As shown on the right- 
hand side of Fig, 13, each device first acquires the re- 
newed node key K't)00 by processing (decrypting) ihe 

35 £KB at d :l en <-~,e < i >n key < ike by 

r - i 1x -I i f - it ft 0- cVEu Kttf > 
Kakei using the acquired node key Kft)0O. 
$097] Evert if one of the merer devices 4, 5, 8, 7, and 
so on a r i t ock (t <8) ihe 

*0 dev oe c KB using a node key or a 

leaf key held by the device to acquire the renewed node 
key KffiOO Thus, It is possible to securely transmit the 
authentication key onfy to authorized devices 
[0098] On the ether hand, in the example shown in 

4S Fig. 14, in a sttoahon in which the device 3 in the group 
enclosed by the dotted tine in Fig. 3 has been revoked 
because of exposure of secrecy o« a key. an enabling 
key block (EKB) is produced such that it can be decrypt- 
ed only by the othet members of the group, that is, the 

■so devices 0.1 nd" and the \ < ; ;e net ng key block 
(EKB) s it irs i . pe tne enabling ke\ 

I Co* (EnB; she* On Fie 14(a; an ,-i i 

Fig U(b), produced by encrypting the authentication 
key (Kake; using the node key (K(t)OOt are transmuted 
together. 

[0099] The decrypt . procedure la shown on the 
right-hand side of Fig 1 4 Each device 0. 1 , and 2 first: 
acquires the renewed node key (K(if)OO) from the re- 
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csivsd enabling b-> j decryption us- 

g a to key c i node key h oeyice There- 

t>achd i ttlor key Kake- 

tsy pe-rJofmirtt c. i >g K )0 
[0100] Even if one of the devices 4, 5, 6, and so or, of 
the otfier groups shown in Fig. 3 received simitar date 
iEKB). it cannot acquire me renewed node key (K{t)00} 
using a lea! key or a node key held by it. 7>ie revoked 
device Gene a n v cede Key (K 

(l}00) using a leaf key or a rede Key held by It. Thus, 
only me authorised devices can decrypt ins authentica- 
tion key and can use It. 

(0101] Thus, the above-described method of trans- 
mitting an authentication key using an EKB makes it 
possible to securely transmit an encrypted authentica- 
tion key using a small amount of data such that onty au- 
thoffeed t 
key, 

[Diss ibs., or of a if* it f- 

certificate and an enacting Key bfcsck {EKS}] 

[0102] Now.ameth* letd r cntentkeyes 

(fcKB^ is dssct oco oc m f irst a me hbd o! mutual au- 
thentication using 160-bit eipite-curve cryptography 
which 

scribed below with reference to Fig. 1 5. Aifbough ECC 
is employed is the pi - - ; v scheme m 
the process shown in hip, 1 5. anotner similar symmetric 
key cryptography scheme may also be employed Fur- 
thermore, the key size is no; limited to 160 bite, in Fig. 
15, first, a device 8 generates a 64-bft random number 
Rb and transmits 1 10 » device A. Upon receiving Rb. 
She device A generates a 34-bii us'ioom ;i umber Ra end 
a ransom nun k ian a prime number p. 

Point Av = AkxG is calculated by multiplying a base 
point <a by Ak, A digital signature A.Sig for Ra, Rb. and 
Av (X and Y coordinates; is ; hen generated and irans- 
mstted together with a public key certificate ci \ device 
A to the device B. Herein. Ra and Rb have a length of 
64 bits and the X and Y coordinates of Av have a length 
of 160 bhs. and thus the digital signature is generated 
Sore total length of MB bits 

[0103] Uj.iPt.T, j hop. on. sty ' fi -to ' tie 

device A. Ra, Rb Av. and tt • an &A Sig the 
digital device B verities whether Re received from the 
device A is so 1 rlgji uratedby fh 

de\ fee a if m - J stes Ho is equal to 

the oi t tt tten in the pub 

f the device A s ^en verified ising 
the public key el the certificate authority, ana I e public 
k f the dev s i ften the digits 

signature A.Stg is verified using the extracted public key 
of tne device A. 

[0104] Theses • ti - ievk to - " a ates a random 
r i to lit- ■> oi p Tnerce U f 

point 8v 3.>fU'f i j ire hto case 



point Q by Bk. A dtq ta R 3 Rr B\ 

(XandYcoerdinatesJistrto « ,,.i rated • ndtransm -fed 
together with a i tiic ke - 1 ats e dev ce 6 to 
the device A. 
s [ril is) t 1 t ' 

devices, Hfc.Ra. As - tore B.Sis, the 

digital device A verifies whether Ra received from the 
device S is equal to i< - 1 erased b\ he 

device A. ff the verificati - » . Ra is equal to 
re lhoo(tgma!%«i.,c tt ; - .> enintftepub- 

lic key certificate of the device B is then verified using 
the pueiic key of the certificate authority, and the public 
key of the ee r to f 1 i d j 3 

signature B > c c edp b! key 

*■$ of the device B > of the c git il slgnsstu 

is m< cess s ' : h v J j kt una 

B .as being an authorized device. 
J0106] If the mutual authentication is successfully 
passed, the device B calculates. Bk k Av (by multiplying 
se t t Av oi > i urve by Bk which is a random 
number}, and the device A calculates Ak x Bv. Lower- 
order 64 bits of the X coordinates of the recoil ant points 
are used as a session key during communication per- 
formed 'hereafter tin hie case where 64-bit keys are 
;t* usedsssymn k > iccordmg to the symmetric key 
cryptograph) The " f /t operated frc-m 

r Moretcom- 

unir si authentication, a 

■*> digital signature may be added to daia encrypted using 
a session key. 

(0107] in the case where the digital signature or the 
received data to determined as being invalid in the 
above-described verification, the mutual authentication 

35 fails and the process is terminated 

[0108] Fig. ■ 6 shows an example of a process of dis- 
tributing a content key using a public key certificate and 
an enabling Key clock (EKB) Fust, authentication is per- 
formed between a content provider and a PC by means 

*e of the public key cryptography technique described 
above with reference to Fig. 1 5. The content provider 
produces an Est 3 that can ce decrypted using a node 
key or a leaf k I apparalus o> a stot 

4 i o da t vhl » 1 trar mi e J 

45 Thereafter, the encrypted content key fc(Kcoii) pro- 
node key and t or >ling . c EKB)ar< enoryi 
ed using a session ko Ks /-a the autheri 

fication between the content provide! and the PC : and 

so tne resultant cata is transmitted to tne PG. 

[0109] The PG decrypts, using the session key. the 
tut ent key e i n new» i node 

h»ai hnm j i i h we b h 

encrypted using the session key and transmits the re- 

S3 sultan iccyotcd _ate to tn^ f hcrt.p „ > v 
the storage medium. 
[011 05 

dium acquire -he come - crypting, using 
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a node key o « by them the content key 

is key and the 

enabling key slock (EK8) 

£01 11] in this method, if and only if authentication be- 
tween the content provider and the PC is successfully 
passed, trte content key E(Kcon) encrypted using the 
renewed notit 

ansm:tted : it byensi ^ r *la< u bes ■ i f Jy 
transmitted onty to an authorized device even in a situ- 
ation in which secrecy of a node Key has been exposed. 

[Distribution of a program code usir-Q an enabling key 
block (EK85S 

[0112] In h< > kS abo\ 3ata such 

as a content Key. an authentication key. or the like is 
encrypted using an enabling key block (2KB) and result- 
ant ertciypted elate is ;rar; ami tied Various kinds of pro- 
gram codes may atso be transmitted sn a similar manner 
using an enabling key block (EKB). In this case, a pro- 
gram cod* stitjrsn ic- a 1 ;t Dac'^otad 
using an EKB The process e described in further detail 
below. 

[Q113J Fig. 17 shows an example of a process of 
es after en- 
crypting it using for ex ' ' I lode key n 
eluded in an enabling key block (EKB) A device 1701 
produces an enabling key block (EKB) teat can be de- 
crypted using a node key or a leaf key held by a device 
i nay i g p e < ' 
code ussng a renewed node key included in the enabling 
keybtoctc<EKB), The resultant enabling key block (EKB) 
and the en, ; ho device 
1702. Thedevi e 17( acq es the renewed node key 
by processing the received EKB, and then acquires the 
program code by decrypting the encrypted program 
code us irj the > newed nods key. 
[0114] in the example shewn 01 Fig 17. the device 
h t 1 > . v <- fu - 1 - i e ii -K 
returns the result to the device 1701. Depending on the 
result, the device ;7CI performs a further process. 
[0115] As described above, by transmitting an ena- 
bling key bioek (EKB) and 3 program code encrypted 
using i renews ode i<ei j bed in the enabling key 
f I 3 I N 1 if st t the pro- 
gram code which can be decrypted only by a specific 
device, to that specific device or a specific group snows 
in Fig. 3. 

I Addition of an integrity check value (tCV) fo a content 
to be transmitted] 

[0116] A method is new desenbed for preventing a 
content from being tampered with, by determining 
whether the content! i vsiih on tno ba- 

sis of an integrity check value {ICV) calculated for the 
conteni 

[011 7] Tft< e vV) of a content is 



calculated or st unction > 

the content sue f sh(Kicv,C1.C2,...}where- 
in Kiev is an ICV generation key and 01 and C2 are 
inform r the content represented in 

s message auihenn'catfon codes (M AC) . 

£0118] Fig. 18 illustrates an example of a process of 
p • juctr 3 « M ES snctyp a ) 

As shown In Fig. 18 a message to be transmitted ;s di- 
vided Into parts each consisting of 8 bytes (hereinafter, 

re divided par -s !f im j moled by Ml M2 

MN), First he uxeu vc f < 3 hat value (iV) 
andM1 sca!> - 1 e ssa s epiese ted 

by 11) "an oafter t t hf ncryption un 
to encrypt i1 using a key <,K1) (wherem the encrypted 
; 5 output is denoted by Ef t. The exclusive OR between El 
and M2 is then calculated, and the result 12 is applied to 
the OES encryption unit to encrypt -.1 using a key K1 
(wherein the resultant output is denoted by E2). There- 
after, the above preces - < font the all parts of 
20 the message are encrypted The final output EN is em- 
ployed as a message authentication code (MAC) 
[0119] An integrity check value i ICV? of the content is 
j. 0 uoi by at j - onotic > the k mte - 
of the cor t il i V < r onkey.The TV gen- 
s'.* erated on the basts of the content is compared with an 
ICV that has been produced, for example, when thecon- 
tent is generated and that is guaranteed as valid if both 
values are identical, the content is determined to be val- 
id without being tampered with, if they are different the 
30 content is determined to h ave been tampered with , 

[Distribution of a generation Key Kiev oi an integrity 
check value (iCV) using an EKB'l 

35 [0120] Apracessol sration Key Kiev 

of an integrity chock value (ICV) using an enabling koy 
block (EKB) Is described below That is. in this case, the 
per era l 1 k< \ Kiev 1 u 31 eck value (ICV) 
authentication key is transmitted as message dala an- 
crypted using the EKB. 

[0121] Figs 'Si 1 £0 shew spec'ij examples of 
manners of transmitting, using an enabling Key pt 0 ck 
( KB) i integrity 1 key K cv 

used to verify that me 1 ■ seer mpen 

■■f ; with in a situahen In which the same content ;s hans- 
mitted to a pli > oampio she vn in 

Fig. 19. an iCV generation key Kiev that can be decrypt- 
ed by oevtees 0, 1 , 2 and 3 :s transmitted to those de- 

2 8. the devices is revoked, and an ICV generation key 
Kiev that can be decrypted only by devices 0, 1, 2 is 
transmitted 

[01 22] In the example shown m F ; g 19, data (D) pro- 
duced t y <" r i _ jn key Kc sing 
ss arenev,ce ted ogetherwlth 
a 1 enab eg key t Y > that the re 
newed node key K(t)0Q can be obtained by decrypting 
the EKB using node keys and leaf keys held »y the re- 
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svfces 0. 1 2, and 3 As shown on the rigfct- 
)f fug. <Q 

key Kft) jy proc - , ,• g « 
t acquires! 



n Key r 



ciKu) 



00, Kiev) using the acquired node key K{S}00 
[0123] Even if one of the other devices 4, 5. 6, 7. and 
so on receives he sarin bllng key block {EKB). the 
device cannot process ihe EKB vising a now; key or a 
eat Key heid b j < ?uire the renewed ncd< 

key K(' : )0O Thus, il is possible to securely transmit trie 
ICV generation Key only to authorized devices. 
[0124] Or. the o;ker send, m the example shown in 
hi Jev< ^ 3 ti the group 
enclosed by the doited line in Fig. 3 has been revoked 
because of e> y of a key. an enabling 

key bl 

ed only by the other menders of the group thai is the 
devices 0 < t~<i2 ,; r t* g key block 

(EKB) :s transmitted More specifically, the enaoiing key 
biook ;EKB; shown ;n Fig 20(as and ihe data, shown in 
Fig 20(D). produced by encrypting the ICV generation 
key i'v.v ising hie nod - mi t > 

together. 

[0125] The decryption procedure is shown or the 
right-hand side of Fig 20. Each device 0, 1, and 2 first 
acquires the renewed node key (K(t)OO) from the re- 
ceived enabling key block by performing decryption us- 
ing a ioaf key or a node key held by the device. There- 
after each device acquires the ;CV generation key Kiev 

decry; kj h "! 

[01 26] Even if one of ihe devices 4. 5, 6, and so on of 
the other groups shown in Fig. 3 received similar data 
fCKB canno; acquire t key (K DO) 

using a lea? key or a node key held by if , The revoked 
device 3 can also not acquire ine renewed node hey (K 
(t)0O) using 3 leaf key or 3 node key held by it. Thus, 
only the authorised devices can decrypt the iCV gener- 
ation key and can use it. 

[0127] Thus the above-described method of trans- 
mitting art ICV generation key using an EKB makes it 
possible fo v\,d transmit the * 1 generation key i 
ingaamail amount of data seen! ha; only authorised us- 



[0128] 



n cryf ! hie 



showt 



tents in additio ts Herein CV(C1 22) 

denotes art in: ji - i obta ed by applying 
e hash function to the content CI and the content C2 
such that ICV = hash(Kk.% CI . C2). in the example 

5 shown o m t > ■ ' d the center 2 arc 

storedon a medium i In an authorized mannar, andtha 
integrity check value (iCV{Ci.C2)) produced on ine ba- 
sis ofthe content CI and the content C2 is also stored 
thereon. On the other hand, the content 1 is stored on 

re a medium 2 in an authorised manner, and the integrity 
check value fjCVfCf)} produced on the basis of the con- 
tent C' is also stored thereon. If this situation, if data 
{EKB. content 3) iscooieo hem the medium 1 io the me- 
dium 2. a new integrity check value ICVi'Cl . C2) ts pro- 

« duedd by the medium 2. and it turns out that ihe new 
integrity cheek value is different from ihe integrity check 
value KtcviC 1) stored on ine medium 2. Thus it turns 
out that the content has been tampered with or a now 
content has been copied in an unauthorized manner. 

so When a device plays back a medium. If. before starting, 
ptayback, the device chee-xs the !CV to determine 
whether the generated icv end the original icv stored 
en the medium are identical to each other, and If pfay- 
X ick is not pi ■ 1 i ,> rtvvo values are not tela itica 

es to each other, ti is possible to prevent an unauthorized 
copy of a e t I ' i c aye i back 
[0130] To further enhance the security, the integrity 
check value (ICV) ot a content may be rewritten into a 
value produced on the basis of data including a counter 
value such that ICV « hssb(Kicv, counter + 1.C1 , C2..„), 
where the counter value (counter -> 1 ■ Is incremented by 
1 eacn time the ICV is rewritten, it is required that the 
counter value be stored in a secure memory. 
[0131] In a case where an . rtteg- ity cheek value (ICV) 
of a content cannot be stored on the same medium as 
that on which the content is stored, the integrity check 
value (ICV) o ; the come t m ty )e stored or a medium 



e he: 



red en a 



Tify 



[0132] For exampie : when a con 
read-only medium or a usual MO that does not have a 
copy protection capability, if an integrity check value 
(ICV) is stored or: the same medium, the iCV can be 
rewritten toy an unauthorised user, the security of Ihe 
ICV cannot be achieved, in such a case, the ICV is 

dt ji i ^ ahos it e andcof 

tent copy control I n , out, move) i 



perfc 



y trier 



s be 



isidte 



nipe- 



are stored en a medium 1 together 
t ock (EKB 1 i sot keys ; ss c ifed w f 

the contents Cs and C2 can be acquired, if the data is 
dtrectsy copied onto a medium 2. the copied EKB and 
contents can be used by any device that can decrypt the 
EKB, 



[0129] 



t contrast. In Ihe example shown it; Fig. 21 ilch 
xized meet 

n.i > -kvi ft" 0^0' C i,c sic \iro\\ mcom 



-Lfir i^-v * [fH3' 3 .} r/ a- - v 

ess tor the above purpose, in this example shown in f-tg, 
22 contents are slorea on a medium 2201, such as a 
read-only medium or a usual MO. which does not have 
spy pa ' iity an nie 

(iCV)e 



medium 2202 ot; a host machine which is not al- 
lowed to be accessed by a user, thereby preventing She 
mtegrrtyene~k i v)trom ntteninar tr 
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authorized manner. If : before a device starts playback 
of the medium 2201 mourned thereon, a PC or a server 
serving as the host machine checks the iCV to deter 
i t ^ a t i d us pess-Ue 

to prevent an unauthorized copy of a content or a tam- 
pered come- if yed eack 

[Categorization o? a hierarchical tree structure] 

[0134] in the above examples encryption keys are 
procucec ir < be form < - ee structure, 

such *s that shown in Fig. 3 : including a root key. node 
k r ue.h a c r t v r 

authentication key, an iCV generation key. or a program 
i \ s s r ,e a r hot wit i an en 

abfing key i3;ook (EKB; Too hierarchical tree structure 
that defines the node keys or the like may be catego- 
rized accorx&tg to 1ho types of devices, and renewal of 
keys, transmission of encryption keys, and transmission 
ofdatattioySto j- t'.t >-c o-mi ^ a 
described below. 

[01 36] Fig. 23 snows an example of categorization of 
the hierarchical tree structure, in this example shown in 
fig. 23. a root koy Kroot :0 : 3O1 is disposed at Jhe top of 
the hierarchical tree structure node keys 2302 are dts- 
r d if * i I -to disposed 

at the bottom. Each device has a se! o: keys including 

a leaf key of the de-vies itself, the root key, and node 
keys exist n; 

[0136] By way of example, it is assumed herein that 
nodes in an Mlh level as counted from the top are de- 
fined as category nodes 2304. That is, the nodes in the 
Mth level are employed to define specific categories of 
devices. One node ai IvUfs ieve - ployed as a top 
node, and nodes and leaves that exist at the (Mal)sh 
level and lower levels in paths originating from that top 
lode are defined < gop s it <J 

to the fop node 

[0137] For example, one node 2305 in the Mth fevei 
i Fig. 23 employed to define 

s= ek; t'.i !■ i a a; .a c r idu= I ems,:, > < it r ; ft 
pains originating from this node are defined to cone- 
spend to var i 3 a memory tick: t i< i } 

ing to the category of "memory sticks" "net is, a sot of 
nodes inducing the node 2305 ana associated lower- 
level nodes and leaves is defined fo belonging to the 
. u rgoryof memory sttcks. 

[0138] Furthermore, a level that is tower than the rvms 
levei by a proper number of levels may be employed as 
=s shown in 

Fig 23 a node that exists in a path originating from the 
category node 2205 of "memory sticks" and thai is lo- 
cated two levels tower then the category node 2395 is 
en o u m ... i , 1_ 
xductedinft < i memory sticks 

Similarly, a node 230? below the sub-category node 
2306 e! playback devices is employed as a .sub-catego- 
ry node of "telephones having a music playback capa- 



bllity" included in the cats ie a a 

further tower fevei, a sub-category node 2308 of "PHS* 

are defined s s es belong to the 

S Crttt 0} ), C t , \ c- l 'v 

£0139] The categories and subcategories cars be de- 
fined according ;c n< cats c ievices but als 
manufactures, content provider or clearance institu- 
tions, and those node may be respectively managed by 

"c them "a 1 s tt >- rta ties tegortesm sybe 

cefmed so as to have arbitrary scopes in accordance 
w h f ex r ne it c gai t 

t on* it st -> 1 n th 

egories orsub-sategones are genencaliy referred to as 
entities). For example, * one category node is set as a 
top node for dedicated use of a game machine XYZ pro- 
vided by a game ma< er :t becomes 
u toe il ice, XYZ in which nc tie keys 
and leaf keys below trtetop noes are stored. After selling 

aa the game machines XYZ, encrypted contents o ; keys 
may be supplied or keys may be renewed by supplying 
an enabling key block {EKB) including the top node key 
and node keys and leal keys below trie top node so that 
only devices oelow hie top node can use fhe supplied 

[01 0' i L e when one node is given 

as a top node, lower-level nodes easing from the foe 
node are de iec > b g y or a sub- 

eateg jned to thai, too nod e c \ rnakii g ii 

■so possible for a manufacturer or a content provider that 
manages one top node of one category or sub-category 
to produce an enabling key clock (EKB) including that 
top node without ha' c trttne other 

alegones or sub-categ tethe w-u a i 

ss enabling key block (EKB) to devices corresponding to 
the top node or the lower-level nodes arising from the 
top nodes, and thus mat j ok now a key 

without exerting any influence on devices belonging fo 
the other categories that do not belong to that top node. 

[Distribution of a key using a simplified EX3 ft it 

[0141] In the i seamed nbes v> er with ref- 
erence to Fig. 3. when a Key such as a content key is 
ser c a sp nabliog key block 

(EKB) is produced such that it can be decrypted by a 
leaf key or* i I - > 1 , he devio to which the 
key is ;o be sent, and the resultant enabling key block 

so sSructutes « en as a cor: - 

tent key is transmitted So devices a, g, and j at conre- 
pending ave an enabling EKB hat can 

be decrypted by those nodes a ; g. end j are produced 
d inansrriftfed a I 
ss [0142] f/e p > enf key K(t)con 

is encrypted sing a t vsd roc M>> <(t)root ai -> 
transmitted h t e vices a, g and 

jean scgi re k > the EKB is -g he 
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lea? key and the node keys shown in Fig. 24(b). and fur- 
ther can acquire the content key K{t)con by performing 
di cr > t sceyK{ iroot 

£0143] Fig. 25 shows the enabling key block (EKB) 
that is transmitted in this specific case. The enabling Key 
block (EKB) shown in Fig. 2b Is produced in accordance 
with the EKB format described earlier in accordance 
with Fig 6, and thus me EKB includes data (encrypted 
keys.) and tags corresponding to the data As described 
earlier with reference to Fig. id left and itgnt (R) com- 
ponent of each tag nas a value of 0 or 1 depending on 
whether dais exits In I or R directions. 
[0144] If a device receives the enabling key block 



keys from a level to a higher level As shewn in fdq 25, 
! i ' ita e of -ha on 9 > EKB) increases 
with the number of levels between the root and the 
leaves (the number of levels is referred to as the depth) 
he depth (number oil t urn rt 

of devices (leaves), and thus the data size of the EKB 
becomes great when keys are transmitted to a great 
numbs r of devices. 

[0145] A technique of reducing the data size ot the 
enabling Key clock (EKS) is described below Fig. 25 
shows an example of an enabling key block (EKB) stm- 
plifledd ng wti 1 keys are trarsa- 

[0146] As in the example shown in Fig. 25, if is also 
assumed that a key such as a content key is transmitted 
to devices a q acidjaieorresp ) i 
in Fig. 26(a), a tres structure is produced such that it 
includes only those devices to which the key is to be 



i the 



eshot. 



n be pro 



oed by 



a pa: 



such the- it incitides only paths to endpoint nodes or 
leaves that are allowed to decrypt the enabling key block 

EKB nd tnen cnneci ©moved iron 

the ;ree The enabling key block (~KB; used to distebuto 

ene - - c J 1 ■ J - di y keys cor- 

responding to the nodes or leaves included in this re- 
constructed hierarchical tree. 
[0148] The en ilingkeyt c* S escribed ebove 
vmh o'c^nr m-q n -yptf * -o^s f y 



hasava 10 1 \> h..rcisdt. 3 

in the L (left) direction, and the third bit has a value of 0 
or 1 depe 10 1 ere is data ff ii a R (t gr ) 

"C direction. Tne fsrat bit is used to indicate whether the 
EKB includes . cte correspond- 

ing to the tag. When an « 1 inch Jed e 

first bit is set to 1 . while it is set to 0 it no encrypted key 
is included. 

;s [0149] The data si.te of the enabling key block (EKB). 
whi us pi v'idediociei ;s k ivasii 1 a data commit- 
1 jgtionr ;twc i plying a forage me 

d-utn on which the EKB is stored, can be greatly reduced 
by employing tne structure shewn in Fig. ESfb; corn- 
ea pared with trie structure shown In Fig. 25. When each 
K B) shown in 

Fig. 26, the device sequentially decrypts onry the data 
loca ion h> i esf nrJi »g ags 



crypto. 



; do. 



ryots 



m Rg 



node key K(f rand > s ata EnciKfhO 
K(t)rcct) ustng the node key K{t)0 thereby acquiring K 
(t)r»ot. On the other hand, the device J decrypts encrypt- 
ed data Enc{K], K{s)roct} using a leaf key Kj thereby ac- 
quiring K(t)«»t. 

[0150| As descried above, if a new simplified tree 
e 1 - j t data c to he 

transmitted is produced, and if an enabling key block 



EKB . 



rays 



do h* rs produced on the basis of the tree structure 
shown in Fig. 24(b). In a oath born Ktoo; to ist there is 
no path branching from the path from Kroct to Kj. and 
thus this path can be represented by only one branch. 
On the other hand, to reach Ka or Kg from Kroot, it is 
needed to branch at K0 to Ka or Kg Thus, the tree can 
be formed so as to have two branches as shown in Fig. 
28(a). 

[0147] As shown in Fig. 26(a), the resultant tree has 



c < - (EKB; Decodes small In data wc arid tnus ft be- 
comes possible bemsn '1 c key block (BKB) 
in an efficient manner. 

40 

[Distribution of a key using a simplified EKB (2)1 

[0151] A technique ot further simplifying the enabling 
key block EK! d ti t s of the simplified 

■■a tree shown in Fig. 26, thereby leather reducing the data 
size and thtss nrt?-< "0: ■ d - > p Wm processing 
in an efficient manner. 

[0152] to the ex >> with e-fe ence 

to Fig. 28. the tree is produced by reconstructing the 
so original tree such that a binary tree Is first produced such 
that it includes only oaths to endpoint nodes or leaves 
that are allowed to decrypt tne enabling key bloca; (EKB) 
and then an necessary nodes are removed from the tree. 
The enabling key block (EKB) used to distribute re 
ss newed keys is produced an the basts of only keys cor- 
responding to the nodes or leaves included in ibis re- 
constructed hierarchical Iree 

[0153] On the basis of the reconstructed hierarchical 
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wrists Fig 1 block EKB) is 

produced as si saves a, g, and 

] can acquire renewed root key Kiiireot. and the result- 

it enabling at-ed. via the 

process ig of I FKR 1 ! shown in 

g 6(t is fr Si y K(t)P0Ot 

pertotming only one decryption process in which Enc 
fKj, K(t)rooi) is decrypted. However the loaves a and g 
have to first decrypt EnciKa, K(t)C> or EricpKg, K(t)O) to 
i a ;Kt ndtt d yptEnc{K;t}0 <(t>to ofh< 
i - v /ss a and g have perform 

a two-step process ior decryption. 
[0154] in a case where the node KG functions as a 
subroot node thai manages icv/ar-ieve] -oaves a ana g, 
the hierarchical tree reconstructed into the simplified 
form as shown a Fig 25 may be useful to confirm thai 
leaves a and b nave tcqu i e» oys However, 
if the node K0 does not mango the lower- level leaves 
or if, although the node KC manages the lower-level 
leaves, providing of a renewed key from a higher-ieves 
node ;s allowed :het; the reconstructed hierarchical tree 
shown m Fig. (2) may oe further simplified by removing 
the node KC and an snabfi ey block (EKB) i ay be 
produce on ' r , f j -\ 

[0155] An example of such an enabling ksy block 
(EKB) is shown in Fig. 27. As in the example shewn in 
Fig. 26. it is also assumed that a key such as a content 
key ts transmitted to devices a, g, and j at corresponding 
leaves. As shown in Fig. 27- .a), a tree is produced such 
(hat the root Krool is directly connected to the respective 
leaves a, g : and j. 

[0156] Thus, as shown in Fig. 27(a). the resultant free 
has a structure that can be obtained by removing the 
node KG from the reconstructed hierarchical tree shown 
in Fig. J>6(«}. The enabling key block {EKB) used to dis- 
< i - iys is produced on the basis of this 

chicai tree reconstructed so as to include only paths thai 
t \ let javes rha; are allot < 

decrypt the enabling key bioc* (EKB) me enabling key 
: kovs is pro- 
duced on the basis of only treys corresponding to me 
leaves Incieded in this reconstructed hierarchies- free. 
[0157] in the f iv, , r - q 27[ } fh< 

where the highest-level node distribute keys to' midtfe- 
ievel and lower-level nodes, the bee may be simplified 
by dlrectiy connecring the highest-node to a middle-level 
or fewer-level node, or: enabling key block (EKB) may 
be produced s 

may be transmitted using the 'esc nan; enabling key 
block (EKB). As described above, the reconstructed ni- 
era h lea has a Me t s in v h het« i cd< 
thereof s d < >nn« ndpoinf nodes or 

leaves, in this simplified free, the number of paths 
branching from the toe nods is not limited two, bet the 
top node may have three or more branching paths de- 
pending on the number of distribution nodes or leaves. 



[01 SSJ The • . - orbed abew 

with reference 1o F<g :- 5 pre i data corre- 

sponding to ail keys i f t t especttve leaves 
a, g, and } to » p vn in Fig. 26 the 

« enahfing key block (EKB) includes the leaf keys as- 
signed to the leaves a. g, and j, the node K0 shared by 
<t end g. and the root key in contrast, in the enabling 
keydi^ k (EKB) on the oasis t 
cal tree shown in Fig. 27(a), the key at the node K0 is 

m removed, and thus, as shown in Fig 27(b). if has a fur- 
ther -oetticea data size. 

[01 59] The enabling key block (EKB) shown in Fig. 27 
(o), as in the enabling key block (EKB) shown in Fig. 26 
(bp includes 3-btt tags. The second and third bits are 

■s used in the same manner as in the example shown in 
Fig. 26. That is, the second bit has a value of 0 or 1 
depencing on whether there is date in the L net;} direc- 
tion, and the third bit has a value of 0 or - depending on 
whether there is data in the R (right) direction. The firs! 

so bit is used to iocs cats wi * 3 Includes an en- 

crypted key at it 3 spending tothe lag. When 
■m ncrypte -e, slnciad i > is sat to 1 white 
it ts set lo 0 tt no encrypted key is included 
(0160] 1 , it key block (EKB) shewn in 

the too kc^ - , rrr rq ony one process of 

decrypting Enc(Ka. Khttroot; EnmKq. K(t)root) or Enc 
(Kj,K(t)root). 
101 SI] 

30 treereconst'uetec: rc i mc udiiig a lop 

node and endpoin; nodes or leaves directly connected 
(o the Sop node is produced on the basis of only those 
keys corresponding to the top node and the endpoint 
nodes or leaves of the reconstructed free, as shown in 

35 Fig. 27(b). 

[0162] By building a new simplif ied tree structure in- 
cluding only devices to which an enabling key btock 
(EisB is t S s ■} producing the enabling 

key t \ i , net idsd n the resultant 

*o simplified tree or keys shared by (eaves, ss is the case 
with the enabling sey blocks (EKB) described above 
with reference to Fig 26 or 27, the resultant enabling 
key block (EKB) becomes small in data size, and thus 
n becomes possible to transmit the enabling key block 

49 (EKB) in an efficient manner. 

(01 S3] Tf ie simplified hierarchical nee structure is 
usefu iparticu nE e managed on the bt 
sis of category tress, wberem the category tree is one 
type of subtn asw - • t low. The category 

if? t"v s a set o l trom nedr 

leaves of an original key distribution tree A category 
tree may be formed in various aspects. For example, a 
category fee may be a set of nodes or leaves thai are 
combined together :n accordance w:tn. the device type 
the device euppfior tie confer p - - c 1 
a ice it s itjtt r^ c i c i 
in terms of process, management, or services provided 
!>v c cs c ass 1 1 i t - I- s gncd to one 
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category tree. For example, it constructing a simplified 
! t v idin i t 1 - pit ality of cat- 

if an EKB is produced on she basis of the constructed 
Kes. then the resultant simplified enabling key block 
(EKB) can be decrypted or y by dt belcugin 
any >ne of the jory trees The n e<c.c 

men! on the bas* of the category trees will be described 
in detail later 

[0164] he en k (EKB) may be stored 

on an information storage medium such as an optica: 
disk or a DVD. For example, an enabling key block 
(EKB; including a data parr ncteding encrypt eo key data 
and o U 3 p tit t : iu ling >: .'•> i denttf fakon ctat 5 iden- 
tifying the locations of the encrypted key data in a hier- 
( iti >t - t ; :i t , t etti w th t x s 

sage date such a cm using a re- 

newed hoc-- 1- n i i = t x inn xt 

thr rest ret imomsst • i y pro 

vided to devices. Each device can sequentially extract 
encrypted key am included :n the enabling key block 
(EKB) in accordance with he i . >n data in the 
tag fleid : and oar; decrypt ike extracted encrypted key 
data thereby acquiring a key needed io decrypt a can- 
tent and thus using the content. Of course, the enabling 
key block (EKB) may be transmitted via a network such 
as the internet. 

[Management of EK8 on a category tree basts] 

{0185] A manner oi managing nodes or leaves in a 
tree structure for use in key distribution in accordance 
with a blocker a set of nodes or leaves is described be- 
iow. Herein, a bl-eck : which is a set of nodes ot leaves, 
refers to as a category tree. A category free way be 
xmed tnva aspe <amp i < 

may bo a set of nodes or leaves that are combined to- 
gether i accordance witf e ce tin d ace 
supplier the cement provider, or the clearance institu- 
tion, or in accordance with a coram r ' s r : m 

it, or services provided. 
[0166] The category tree may be described in further 
detail with reference to Fig, 23. Pig tXda) shows a man- 
ner of managing a free structure in units ot category 
trees, in Fig. 28(a), each category hoe is represented 
by one triangle, each category free, for example, that 
denoted by reference numeral 2701 . Includes a plurality 
of nodes. Fig, 28(0} shows a nods structure in one cat- 
egory tree, fact: i t i is < am i h in Iter term 
r a b -ia \ f t j end a plurality of 

nodes at tower levels. Herein a too node, such as that 
denoted by reference numeral 2702. of each category 
tree is referred to as a sub-root. 
[0167] As shown In Eg 28{c), there are leaves, that 

S devices tfiOV i t ^u'lCami 

io one o cats j r top cede 

2702 serving as a sub-root and a plurality of leaves cor- 
responding to devices. 



£0168] Asc S{a category frees 

have a hieraret d bi if with 

{0169} Fig. 29(a) illustrates an example of the filsram 
s cal structure in a simplified fashion. In this specific ex- 
ample, the hierarchical category tree structure includes 
category trees A01 to An n at a certain level below Kroot, 
At a fevel just i - r jory trees A1 o An. cate- 
gory B0 ' J - i • sr ^ A next lower iev- 
» el, category trees CI to Cnq ate disposed. As shown in 
Figs, 29(b) and t'c>. each c get t as a tree struc- 
ture in which nodes and leaves are disposed at a plu- 
rality of ieveis 

{0170} For example, the category tree Bnk has a tree 

as structure nciuding as shown in Ee gtb: r to| nods 
2311 serving as a sob-roof endpomt nodes 2812. and 
other nodes iocatedhetw ' t e28liandthe 
eitdpoint nodes 2312. Ttte category tree is assigned an 
identifier Bnk and manages the nodes within the cate- 

sa gor\ tree Bnk indoor- tly for i re c stegoi) bee 8 lk 
thereby managing lower- level category trees each of 
which includes, as its top node, one of enotpcint nodes 
2812 On ie ether hand Bnk is mar 

jeti by a hie i ,ti^n one 

2* ofendpolnt nodes 2811 of which is incfude-d. as the sub- 
root 2811 in the category free Bnk. 
{0171} As shown in Fig. 28(c). acategory tree CnShas 
a tree structure including a top node 28S1 serving as a 
sub-root, sndpolnt nodes 2352 corresponding to re- 

30 spective devices thai are leaves in this case, and other 
nodes between hie top node 2851 and the endpOirtf 
nodes 2852. This category tree is assigned an identifier 
Cn3 snd mana I s a . within the 1 

egory tree Cn3 independently for' the category tree Cn3 

35 thereby rv i t > as - > ■ xt -it fhe ompoinl 
nodes 2862. On the other narsri, the category tree Cn3 
is managed by ah s - - , tr , > " 

one of cridpolni nodes e? which is included, as the sub- 
roof 2851 . in the category tree Cod. Herein, the key 

■to manage" ry s to, for exam 

pie. renewal of a key. revoking, or the like, as will be 
described in detail later. 

[0172] En each device eo - ) ' ; a leaf in ae; 

c m 3ory ee 

■■f ; io which thai device belongs, end node keys at respec- 
tive nodes existing in a path born the leaf to fine top nods 
serving as the sub-root node of that category tree are 
stored. For example, for a device at an endpomt node 
keys eoi p id tig n: < es ■■■■ p t f: m ti e 

so endpofh* ! a sub rooi rode 2851 are 

stored. 

[0173] ~ r l sf ■ i ry tree is further d( 

scribed with reference io Fig 30. Each category tree can 
have a tree structure Including a various teveis. The 
ss Ocptr t au a :> , spend i g > e 

rj icet v I a t t a- 

spending to en | s jr., 

pending en the number of devices to leaves. 
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[0174] A<.- c ©shown in Rg. 30(a) 

may be embodied as shown in Fig. 30(b). Herein, a root 
tree is a tree f« rae has « 

root key 6 , e v y trees A. B, 

jnd C 3 iispcseci a spec! fil nodes of the 

root tree, A further-lower level category tree D is dis- 
posed below the category tree C. in the category tree 
C29G1 oiie o eserved as re- 

served nodes ?M0 so that another lower-level category 
tree can be added in the future by using the reserved 
nods 2950. For example, a category tree C2802 having 
a multilevel tree structure may be added by assigning 
- ; ' s the lop rod. of no rev, cat 

egory tree. 

[0175] The reserved nodes ate described in further 
detail below with reference to Fig 31 A category ;ree A 
(3011) haste ^ ry trees B, C. O. and so on 

managed by she category tree A (3011}. and also has 
one reserved node 3021 For example ine number of 
lower-level category trees maybe increased In such a 
manner that the reserved node 3021 is assigned to & 
lower-level category A (3012;. ana further lower-level 
category trees F and -3 may be connected to erideoirit 
nodes of the lower-level category tree A' (3012). The 
lower-lave! est 4 eA n y reserve at least 
oneenepe ion i a o la << i 

egory free A" (301 3) may oe added. The lower-level cat- 
egory tree A" {3013} may reserve one or mere endpoint 
nodes. By reserving endpomt nodes in the above-de- 
scribed manner, il becomes possible to increase the 
number cf tower-level category trees managed by a cer- 
tain category tree without limitation The number of re- 
served category trass is not limited to one. but a plurality 
of ersdpoints may be reserved, 
[0176] Each category tree may produce an enabling 
key block (EKS) independently of tno other category 
trees, and key renewal arid revocation may be per- 
formed independently or too oiner category trees As 
awn i,j " o r h n , - k i 
signed to re c \. A', and A The < 

enabling Key ofocks. (EKB : s) may be managed by, for 
example, a device manufacturer thai manages trie o.at- 
, y trees A, A and A" 

(Registration ol a new category tree] 

[0177] Registration of a new category tree is de- 
scribed below. Fig. 32 shows a registration processing 

si (i ] i r -i « > w 

k , <\ II t t < ■"-( i c 

s ssu s 3 iew regret ion eg es tot i upper levei 
(parent) category tree (P-En) Each category Vee has 
its own poohc key according to the public key cryptog- 
raphy scheme. When the new category 'nee :ssues the 
registration request, ti transmits tic public key to tno up- 
per-level category tree (P-En). 
[0178] Upon receiving the registration request, the 
(v-, -, -,g-^ n , tr n=t i "cier v e 



public i-ov 31 1) * ree (N-En) to a 

certificate authority jCA) to receive a public key of the 
eg i v - ureofiheCA 
Treat :\o;i cdi >)' rued r ■> jtu< -u nc r 

s cation b; w i i e (P-En) anc 

the new ; child) category tree (hi -rat). 
[0179} If the authentication of the category tree re- 
questing for new registration « completed sua tne above 
process, the upper-level category tree (P-En) gives per- 

» mission of trie registration of the new (child) category 
tree {N-En) and transmits a node key assigned to the 
new (child ) category tree to She new (child) category ttee 
(t Fn This n ey >■< - ne of endpoini 

nodes of the upper-level category tree (P-En). and also 

; 5 corresponds to tne top node or a sub-root key of the new 
(child) category tree (N-En). 
10180} After the completion of the transmission of the 
node key. trie new {child) category tier; (hi-En) builds a 
tree structure of the new i (cry tree {N-En} and 

?e sets the received sub-root key at the top node of the tree 
structure. Furthermore, keys ere set at the respective 
nodes ana leaves and a a \ l x cr<3> s 
s oc atec ,K i idoeed Ane tabling 

key black iFJKB) associated witn a category tree is ;e- 

25 ferred to as a soo EKB. 

{0181} On the other hand, tne upper-level category 
tree (P-En) produces a sue- F.KB associated with the up- 
per-level category tree (P-En) such that an endpotnt 
node, which was made act ive when she new (child) cat- 
30 egory tree was connected thereto, Is reflected in lbs 
sub-EKB. 

(0 1 B2] Af te r the new (child ) category tree (N-En) pre - 
2KB em sys i rd Is at 

keys withtri the new * £n) the new 

3s (child) category tree (\ ! -cn) transmits the resultant 
sub-EKB to the upper-level category tree (P-En). 
(0183) Upon receiving the sub-EKB from the new 
(child) category tree (N-En). tne ypper-levei category 
t (P i v .its the received su! K8 toget m 
j c with the enew r pe svei category 

tree (P-En) to a key distribution center (KDC). 
{0184} On i i ill tie >rytt - 

1"- k y ii- r r roouce an f KB 

in various manners L KB can t>e pro- 

daeed secti t n -a t only a specified category ttoe era spec- 
ified device can decrypt the nKB. if the EK3 produced 
so as so b ii rypted by a pe fiedc 

r, i i\ ulcieci to so mo o a < r 

so tent key on the basis of the received EKB and supplies 
the encrypted content key via a network or supplies a 
storage medium on which the encrypted Key is stored, 
it is becomes possible to provide a content such that the 
content can be used only by the specified device. 

ss (0185) The manner of registration et a sub-EKB ot a 
new at' ;ory i s tt a key dis itmUonce te: KDC k 
not limited te e sub-EKB via 

an upper-level category tree but registration may also 
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be possible L / i it s sub-EKS frort 

the new category tree to the key distribution center 
(KDC) wftnout passing tt via The upper-lev*! category 
tree. 

[0186] The correspondence between an upper-level 
ategory t HI ry tree that is 

newly ictdec ; the opt egory tree is de- 

scribe i) w war= reference to Fits. 32 Bypt < ling as 
a top node of the new category tree to be «<*fed, one 
endpoint ncoe 3201 oi the upper- level category free to 
the tower-tevei category tree, the Icwer-ieve! category 
Ireecan be add - egory tsees that areman 

apeo by the apeer-levei category tree. As will be de- 
scribed in detail 1 t ess rranageo by me 
upper-level category tree refer to those category trees 
that tan be revoked by the tipper-level category tree 
[0187] As shown in Fig, 33, if a new category tree is 
added to ati upper-ievet category tree, the same one 
node acts as one endpomt node or leaf 3201 of the up- 
per-eve! category tree and also as. tne too node 3502 
of the r-ev\ y added category tree ' , ' is one endpoint 
node serving as one leaf oi the upper-level node is set 
to be he sub oo >ftf i gc v <ee By 
performing the setting in the above-deseeded namner 
the newiy added category tree becomes one of active 
categoivi"' c at tree sir jc-jic 
[0188] Fig. 34 shows an example of a renewed SKB 
that is produced by an upper-leve! category tree when 
a now category tree is added. That is. Fig. 34 snows an 
example ot a sub-EKS thai is produced by the upper- 
level category tree ween i a situation r jh tne if. 
per-ievet category treehas a tree structure including, as 
shown in Fig. 34(a), an active endpoint node (node 000) 
3301 and an active endpoint node (node 001) 3302, an 
e mr, :int no 1 ^ i vided 

[0189] The sub-EKB has a format shown in Fig. 34{b). 
Thai is, the srto-FKB is a list ot a high-level node key 
erx rypted using en J i ie key. a leghe 

levet node key >i yp : , >g the upper evoi node 
key,..., and finally a sub-root key. The sub-EKB is pro- 
duced according to this format. Each category tree has 
its own £KB n tne torm oi encrypted data including, as 
•wtth ihesub-EKBshown tn Fig. 34(D), a high-level node 
key encryr. s o 3 Je key or teal 

key, a higher-level node key enmypied using the lagn- 
ieve! node Key,. . end tinetty a sub-root. The EKS of 
each cstegc y; s manag 3d by tea- category t ee it- 
self. 

[Revocation under the management of a category tree] 

[0190] Revocation of a device or a category tree per- 
formed in a s ' 1 - , i ^u 1 c ' oe is 
managed on a category tree by category tree basis is 
described beku Is the exat -pies shown in Fgs 3 and 
4 in seat ng block i 5 f cce s jot thai 
shr esutu Ttett • , ' 1 ' i be decrypted 
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■• i - it. ess ueiure but a revoked 

device canoe if enabl ng key block 

(EKB). In the examples shown in Figs. 3 and 4. revoca- 
tion is performedfor adevic a; igi ; to a specific leaf 

s in the tree structure in a case where management is 
performed on a category tree basis, revocation can be 
performed on speon'i 4 > < " 
[0191] Referring Fig. 36 and following f igures, a rev- 
ocation process performed in a situation in which man- 
's agemen; is performed on a category tree basts is de- 
scribed betow Fig. 35 el pro s of revo ng a 
oitoq i eea e e the tees e ore t 

eluding a plura i disc tievices 

belonging to the revoked category tree are all revoked. 

« [0192] Fig. 35(a) shows a key distribution tree struc- 
ture manag* - y trees n this spe- 
cific example, a roof node is disposed at the top of the 
tree, and category trees A01 to Ann ate disposed a! a 
certain level beiow me root node Category trees B01 to 

Jv Bnk ate disposed at a lower level, and category frees 
C1 to Cn are disposed ai a tutther lower level. Category 
trees as the lowest save! have endpoint nodes (leaves) 
assigned to respective devices suefc as a recording;' 
piaying-back apparatus and a playback apparatus 

so { ng; perform* c by the 

tiger, e or e >ie. the ca'egc % 
i 4 ~ 1 st > v-d > en revoke a device 

at a leaf. Fig. 35(b) shows a ties structure of a category 
v e ) etowe 1 

30 level. The category tree Cn (3430) has a lop node 343 1 , 
and a plurai'ty of r S-\ ■ - r > ; to respective 
leaves at tne enepoini nodes 
(0194] When, tor example, a device 3432 assigned to 
a ieaf at a certain endpoint node should be revoked, the 

35 category tree Cn (3430) renews the category tree Cn 
itseft .re pi x < j Key block (sub ^Nb) 

consisting of node keys and lead keys included in the 
renewed category dee Cn. Tics enabling key block can- 
not be encrypted by the revoked device 3432 but can 

-re be orcnyp e ; evioe in d to the other 
leaves. A manage! of Pie category tree Cn produces 
such an enabling key block as a renewed sub-EKB. 
More specifically, node Keys at nodes 343 c 3434, and 
3435 in a path from the sub-root to ;he device 3432 to 

< J s be revoked are renewed, and a renewed sub-EKB is 
ptooacec into the terra of encrypted key data such that 
tne renewed node Keys are reflected tn tne renewed 
sub-EKS thereby ensuring that the renewed sub-EKB 
cat! ar i/f , i ther if en 

so voked device 3432. This revocation process is equiva- 
lent to the revocation process described above with ref- 
erence to Figs. 3 and 4. if the reel key is replaced with 
the sub-root key that is a top node key of the category 
tree, 

ss [0195] The en bl» gk, KB'treriewei 
the revocaiiei . pe •< e by ie category ties 
Cn (3430) isi ■ category! re-ta- 

in this specific example, the high-level category tree is 
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a category l e Jes as or a of 

endpoint nodes.. the top node 3431 of the category tree 

Cn (3430), 

£0196] if the > : . •• . s elves theen- 
abSir.g Key bio. * from the tew sv cater ; 

ry tree Cn (3430). the category free Bnk (3420) replaces 
the key assign* - ntncdt 3431 of 8tc cat- 
egory lies Snk (3420) corresponding to the top node 
3431 of the category tree Cnk (3430) with the renewed 
^ y j r< i f s 1 1 mthe 

lower-level category tree Cn (3430) and the category 
tree Bnk (3420? renews its own sub-£K8. Fig, 35(e) 
shows the tree structure of too category tree Bro; -34 20) 
In the category E 4 v n r g3i v e) Ms 

needed to renew node keys in a path from the sob-root 
3421 to the endpomf node 3431 ocnnectedto the cate- 
gory tree including the device to be revokes. More spe- 
esficaliy,. it fe needed to renew node keys assigned to 
nodes 3421 2424, and 3425 in the path connected to 
the node 3431 of the category tree that has transmitted 
the renewed sub-EKB. After renewing the node keys 
corresponding to these nodes, the category tree Snk 
(3420) produces its renewed sub-EKB so as -to f effect 
the renewed node keys 

[0197] The renewed enabling Key block (sub-EKB) 

prou coab\ f > > } rs transmitted 

to fx forther nigher-lovei category tree, in this specific 

car j hefi h< gi t 

egory tree Ann (3410), which includes, as one of ond- 

potrit no') s, ttte fog nod of t t 

{3450), 

[0198] If the category tree Ann 1,3410} receives the en- 
abling Key block {sub-EKB) from the lower-level catego- 
< -> 4*0)teptec- 

as the key assigned to the endpoint node 3421 of the 
category tree Ann (3410 i i e top node 

3421 of the category tree < «ith the enewed 

ke> n ide t she ahii jk k eived from the 
iower-levei catr ' (3420). anc tt stegory 

tree Ann (3410) renews its own sub £K3. Fig. 35(d) 
shows the tree structure of the- category tr ee Ann {34 1 0) 
in the category tree Ann (3410) shown in Fig. 35(d). it 
s iee Jed o t win let odes 3411 

3414. and 3415 in a path from the sub-root 34! 1 to the 
endpoint node 3421 connected to the category tree that 

the r ^oe v ides, tf ecate 

gory t ee Ami {34 0) so 
as to reflect the renewed nod. 1 keys. 
[0199] The r rned for 

further higher -level category trees until the root category 
tree shown i J d) i een to tewed V a he so 
ojep <- r - sciesci eeeve revocation f the 
device is completed. The renewed sco-EKB's produced 
b\ h o ospo category i y transmitted 

to the key distribution confer fKOC) and stored therein. 
T"o key d? ibt jrt oe iu es various 

K 'or u i te J - £<rh e 



newed £KB has a form of an encrypted key bfock that 
cannot be decrypted by the revoked device. 
[0200] "host. r otd ere» don processes 
is shown in Fig. 38. in the sequence shown in Fig, 38, 

to revoke a leaf iron; the device management category 
tree (D-En) and produces a renewed sub-£KB{D) of the 
device ma m ien 'tree(E En). The renewed 

» sub-EKB; D) ■;; transmitted to a el category 

tree. Upon receiving the renewed sub-EKB(D). the htgh- 
er-teve!{pa ■ tews the n ode 

key assigned to the endpoint node corresponding to the 
top node ; £ a no asso nods 

keys assigned to nodes in the path from that endpoint 
node to Ore sob-root: and then produces a renewed 
sub-EKB(PI) so as to reflect the renewed node keys. 
The above -described process is performed for further 
higher-level category trees, and all renewed sub-EKB's 

so that ate finally obtained are stored in the key distribution 
center (KOCt ana managed thereby. 
10201} Fig. 37 shows an example of a renewed ena- 
bling key clock , t trig lev* St< 
gory tree r a dev |. ocess 

c'- [0202 ' - e> /i" . ' 

is i j i en o EKB from a iower- 

levei category tree shown in Fig. 37{a) including a de- 
vice to be evoked a 1 y tree produc- 
es a renewed EKB. The top node of the lower-level cat- 
egory tree including the crevice to be revoked corre- 
sponds to an endpoint node (node 1 00) 3601 of the fcigh- 
er-ieve! category tree. 

[02031 The higher-level category tree renews nods 
i. the path from the st root of the higher- 

35 level category tree to the endpoint node (node 1 00) 
3601 and produces a renewed sub-EKB so as to reflect 
the renewed node keys, The resttat renewed 
sub-EKB is shown in Fig. 37(b). in Fig. 37(b). the re- 
newed keys are underlined and primed. As described 

-re above these fa the path orMhe renewed end - 
point node to the subroct are renewed, and the renewed 
sub-EKB of the category t res :s groouceo so as So reflect 
the renewal of the node keys. 
[0204] Now. revocation of a category tree is described 

[0205} Fig. 38(a) shows an example of a key distribu- 
tion tre^ octuremari f unit 
egory trees n this specif sxamp - oot node is oils 

so Ann 

Categot 'tre-< sBOi to Bnk ere di ver 
and category trees CI to Cn are disposed at a former 
iowe lev C rte - v evelhaveen 

point nodes (leaves') assigned to respective devices 
ss such as a e aoo ota t 

back apparatus. 

[02065 Herein it is as J ateg< y dei Sn 

(3/30) should be revoked. Tne category tree Cn (3730) 
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at the bottom includes a top node 3431 as shown in Fsg. 
38(b). and a p - 1 vices ar« iedfc respec 
t eaves at if: 3 dpol to node 
[0207] By revoking the category -res Cn (3730}, it is 

Pee Cn ;3r30» from The tree structure * the same 
R eocai not it o d Cn 3/ 3 t performed 

b i category I 2 3 Inextlc ata Higher 

tevef> the category tree Cn (3730>. The eate-gory tree 
Bnk {3720! inctuaes. a:; one cf endpoint nodes, the top 
node 372 1 :f he ate< * > Cn {3730) 
[02083 In order to revoke tMe twer-teveicsiegorytree 
Cn (3730;. the category tree Bnk (3 730) renews an enci- 
point no ac 3 ' to - , 720 ( eorre- 

spending to trie top node 373' of the category tree Cnk 
(3730) sod further renews node keys in the oath from 
the category' tree 3730 to be revoked to the subroot 01 
too category hoe 8nk (3720!. The caicgory tree 3nk 
(3020) then produces an enabttng key biock serving as 
a renewed sub-EKB. Herein, the node keys to fee re- 
newed sue node keys in the path from hie subrool 3731 
ShcwnlnFiq 3 oir node 3731 that is also 

the top node of toe category tree to be revoked, More 
specifically, node keys assigned to nodes 3721. 3734 

3725 and 3731 ate renewed. Alter renewing the node 
keys corresponding to these nodes, the category tree 
BnJt (3720) produces its renewed sub-EKB so as to re- 
fleet the renewed node keys, 
[0209] Alternatively, when the category iree Bnk 
(3720) revokes She iowst-ievef category tree Cn (3730) : 
She category tree Bnk (3780) may not renew its endpoint 
node 3731 corresponding to the top node 3731 of the 
category tree Cnk 3730, but the category' tree Bnk 
(3720* rw> ret o ' t > e keys in the path 
f c n too category tt >r f to tf o subroo! 

of the category tree Bnk 3720 and may produce an en- 
abling, key btoek serving as a renewed sub-EKS. 
[0210] The renewed enabling key btoek (sub-EKB} 
produced by ti i r i t 

to a higher-level category tree, in this specific example, 
the further t ] 1 > getv ee 1= r caiegop ret. 
Ann (3710). which mduSes as one of endpoint nodes 
She !op node 3731 of the category tree Bnk (3720) 
[021 1 ] If the category tree Ann (371 0) race t ves ths en- 
abling key block (sub-tKS) boo; tiie lower-level catego- 
ry tree Bnk (3720). the category tree Ann {3710) replac- 
es the key assigned to the endpomt noeo 3721 of the 
category tree Arm (371 0) corresponding to the top node 
3721 of the category free Bnk (3720) with the renewed 
k i jo rtoht - ti i i.'edfromfht 

a- - K :ilij / ,j ! 3 oo 3 e v. e }< s 

tree Ann 37iC; snew f - - <3. Fig 38(d) 
5 m * t re An i " 7 <r) 

In the category § ree Ann (3710) shown trs Fig. 38(d), it 
Is needed to renew node keys assigned to nodes 3711 , 
3714, and 37 15 in a pat); from the sub-toot 3711 to the 
endpoint nod tt g< v t ■> t ! 

has transmitted the renewed sub-EKB After renewing 
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the nociti keys 

gory tree Ann (371 0) produces its renewed sub-EKB so 

ssto reflect the renewed node keys. 

{0212} Theabc ti nPec process is performed for 

s further higher-ievef category f rees until the roof category 
tree shown in Fig. 30(b) has been renewed. Via the se- 
i icnceoff o < - no f t - 

category tree Is completed, "'he renewed seb-EKB's 
produced by She respe * s a tory trees are finally 

*e transmitted to the key distribution center (KDG) and 
stored therein The key dtstobtoicn center (KDC) pro- 
duces varices EKB's or. the basis of aft renewed 
snb-BK3's Each renewed EKB has a term e! an en- 
crypted key block that cannot bo decrypted by any de- 

rs vice belonging to the revo ked category tree 

[0213} The sequence of category tree revocation 
processes is shewn m nig. 33 tn the sequence shewn 
in ~ig. 33, a category Eree management category tree 
(E-En), which wants to revoke some category tree, per- 

so forms key renewal needed to isolate an endpomt node 
to bo 'eve d from f h< , > i, nagement ;al 
egory so (E-E a .uv.'; ,3E'Bti 

of trie ca eg it, i egory ee (£ t< i 

The renewed smbtoKBiffe is transmitted to a higherW 

es e; category tree. Upon receiving the renewed sub-EKB 
(£}, the higher-fevei (parent) category tree (P1-En) re- 
news the none key assigned to She endpoint node cor- 
responding to the renewed top node of the renewed 
sub-EKSiE) and also node key;; assigned to nodes in 

30 the path from that endpoint noes to tire sob-root, ana 
then produces a renewed s.oh-EKB(P1) so as to reflect 
(he renewed node keys. The above-described process 
is performed for funhsr hlgnsr-feve! category trees, and 
all renewed sub-EKS's that are finally obtained are 

as stored in f he key .distribution center (KDC) and managed 
thereby. T he key distribution center (KDC) produces 
various SKB's cn the basis of at! renewed sub-EKB's. 
Each renewed EK3 has a form of an encrypted key 
block that cannot be decrypied by any device belonging 

*e to hie revoked category free 

{02141 Fig. 40 Illustrates the correspondence be- 
tween a rev kecHower-h 1 - jc reea hig r 
k e o i >go to fvokedtl • trve c 3 egory 

tree Viendp 1 o , t te^r -q^ -v 

tree ano the; f i -'orr: the end- 

point node 3931 to The subroo: of tne higher- ieve; cate- 
gory tree are renewed. Furthermore, a new sub-EK8 Is 
produced such that she renewal of the node keys is re- 
st? ffected. As a result, the node key of the top node 3902 
of the revoked fewer -level category free and the node 
key of the endpoint node igher tev< « 

gory tree become different from each other Because 
rfTv L<bf or- i center (KDC) 

ss after the rev > >nol >ry s is based on ihs 

key of the ei i J » d by the higher- 

it vi ite , >t\ i i) iding tot' 

of tne lowor-lavet category tree cannot nave the re- 
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newed kej ai - ^KBpmc ced 

) ton eeiier {KDC> 
[0215] Aithcog - t ceo above, «t 

caie )iytr€ t wtagos eoyicas 

level and f s -g a w h i t. category i\ 
also foe revoke tec tc «i 

higher level, the category tree to be revoked m a simitar 
maorw 5 t fcs ' >«v« * an < n«m 
c jementc i!eg / t ile - ! 1 i p( -do 
s a t g >ry ti ees tc* 

devices belonging directly or sndisectly to the (evoked 

[0216] As aescn&ed above, revocation of a category 
tree makes it possiblolo perform revocation more easily 
man m the ease where revocation is performed in units 
of devices. 

la 'i category tree] 

[0217] When keys are oisthfoated on the oasis ot cat- 
egory trees N i f ea< lttty n ay be man 
aged and a content may be distributed depending in trie 
capability as described below Herein, hie term capabil- 
ity is used tc to p;o sent or define whet kinds of contents 
or program a dev c vith. Example J oa t 

b it os i ng audio dat;; 

compressed accosting to a specific compression 
scheme, a capability of audio repr 
a sper a ten, j.andac /c - ig , it 
ticular image processing program. 
[0218] Fig. 41 shows an example of a category tree 
structure no - ctwjci A 

root node is diseased a; the too of the key distiibstiori 
f o s ' jet e r t f Dry trei i fee 

form of a b« .< \ tt : - . -d at Sower levels. For 

example, a category tree 4001 is defined as having an 
au j C p jyfoa v 1 1 audio 

playback schemes A B andC. More specifically, for ex- 
ample, when mas* data compressed by an audio com- 
pression program A B, or C is distributed, any device 
belonging tc sgor* ees belonging 
category trees to the category tree 4001 can decom- 
press the compressed data. 

[0219] Similarly, a category tree 4002 is defined as 
having audio playback capability according to oneofan- 
dio playback schemes B end C. a category tree 4003 is 
defined as having audio playback capability according 
So otm of andlo playback sehen s A and B category 
treedOOd is defined ashavieg audio playback capability 
according tc ft iio f 3. and t cate- 

gory ree I -Co < ivi e lay! ic< ce 

pabilify according in the eedio playback scheme C 
[0220] On She minor hand, a category tree 4021 is de- 
' da , , ; ck capability accor 

any one of schemes p. q, and s\ a category tree 4022 is 
defined ash ving , - spate ty accord ig 

mdq.ai egoryireo4023 
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it de'if ed as - ipab ty aeo c 

[0221] ' The capability information of respective cate- 
qory trees Is managed by the key distribution center 
s (KOC). For' example, when a certain content provider- 
wants to c s ed by a spec f ic 
compression program to various devices, the key distri- 
bution center (KDC) produces an enabling key dock 
(EK8) that can be decrypted only by devices capable of 
playing back mststc data cc 3 by that specific 
compression program sr. the basis f tee t silky it 
formation of She respective category trees. The content 
provider encrypts, e content key using ihe enabling key 
block (EK8! produced in accordance with the capability 
m it crrna ^ ^ r distrit sell i cn yptedcon 
tent key. The content provider also provides com- 
j. essec ii 1 1 Ken key c 
devices This maker, it possible 10 securely provide a 
specific promt ■ | program only t< dovrces capable of 
so processing the data. 

[0222] In the example shown in Fig. 41 , capability in- 
formation s defines for ati category trees, tiowever, it is 
not necessarily needed to define capability Information 
for al category s j' si wn n Fig 4? 

2» capability information is defined only for lowest-level 
category trees < ; I nd capability 

h t i i of devices belonging to the lowest- level cat- 
egory trees is managed e ; s rbJtton center 
(KDC). in this case, in respo nse to a request from scon- 
ce tent provider, the KoyJi bs. i - KDC) produces 
an enabling I k(E 5 ilea ^ decrypted only 
by devices having a capability specified by Ihe content 
provider, on the basis of ihe capability information de- 
fmed >- - owes evei category trees, in the example 
35 shown in Fig, 42, capabilities are defined for category 
trees 4101 to 4106 whose endpoint nodes are related 

tc dt - ICS I 1 at IVO 0(50 y 

trees irern me /< > < r Outlet < t t (KOC) 
For exam < ig audio i svb - is 

j e t rtyaccoi i t me I vingavideoptey 

t ickca it t heme i a ts relate i 

t c.f.i, 'n 4- r I es having an aedic .fa-, 
it r f a i Iky i A and havi >g 

v den g vf j to the- scheme q 

■■s are related tc the category bee 4102. 

[0223] Fig 43 shows an example of a capability man- 
agement taol * t : J >r r m 
(KDC). Fig, 43(a; shows the data format of the capability 
rnanagentient table A category tree ID is an identifier 

so t> at ident r A t iUfy list indicates 

capabililies defined fee a category tree indicated by a 
category bee ID As shewn in Fig. 43(b) fee capability 
list consists of a plasty or bits each indicating whether 
various capabilities are available or not. For example, il 

ss the audio dat i - xdir jto c -mo 

(A) is available, the corresponding bit is set tc "F, bet 
the bii is sat tc i: 0" if the capabiiify is net available. Sim- 
ilar v tor tho audio 1 ' 1 I 'ty tcx a i , 
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l- it t o„l ' 1 m 

s bififyisavs ibis, but the bit is set ;c 0 f the ca 
pability is not available. Note that the method of setting 
o c c ao ,' < c t Pes i b 

ib < o t ay atsc t f mpioyed as 

long as the ma i l ibaltties of the 

jevioes :nan;K ■ i 

[0224] Th» ■ - sment taole further in- 

cludes dais representing ihe sab-EKS of each category 
tree, in a case where seb-EKB's are stored separately 
in ificat ! nforn ot f 

sub-EKB :s Pescubsd instead of the sub-EKB rise;;'. Fur- 
then-nore. tha capability management table also in- 
cludes data indicating the sabroot node o? each catego- 
ry tree. 

[0225] " < * y t i', it/ anags t fa 
Pie, me Key distribution center (KOC) produces an ena- 
bling key block (EKB) that can be decrypted oniy by de- 
vices having a capability of playing back a specific con- 
tent Refe i t§ to Fsg 4- t te } r ce 
enabling key biock on the basis of the capability infor- 
mation is described befow 

[0226] First in step S4301 , me key distributee-enter 
[KOC) selects a category tree having a specified capa- 
bility from me c pi n n ^ s More spe 
cificaily. tor example, when a content provide*- wants to 
distribute audio data accorcfeg to the audio data play- 
back scheme A. the key distribution center (KDC) 
,\ - ir F g 43(a) and se- 
lects category trees having a value •: ' ft a it 

at"C i(r J. r i m s if t - dlta; < 

the scheme A. 

[0227] Then in step S4302, the key distribution center 
(KDC) produces a list of ID'S of selected category trees. 
Thereafter, in step S4303, the key distribution center 
(KDC) selects a path that should be inciaefed in a tree 
formed by selected category trees indicated by ' e ID'S 
(that is, a path to be included m a key distribution tree). 

«h I paths incied 

ed in the selection category Erse ID'S have been select- 
ed If 

in step 4303 is performed until ail paths have been se- 
jctec It 3. in the case w tyofct age y 

trees are selectee paths corresponding to the respec- 
tive : itegory tree n illy sc ee ed 
[0228] if all paths included in the selected category 
tree ID'S have been selected, the process proceeds to 
S <M entree et uc- 
r a ( , i i i] v U s is ft t 

[0229] Then in step S4306. node keys included in the 
free structure produced in step S4305 are renewed 
thereby producing renewed node keys. Furthermore. 
sub-IKB : s ot the selected category trees included n tee 
key distribute nee structure are extracted 'rem the ca- 
pability management labia. On the basis ol the axe acted 
sub-E <B c 

84306, an enabling key biock {EKB} te produced such 



t a i J cc u , 5 included in 

the selected category trees. The enabling key block 
( ti t nnet ct i be 

usedoni\ by pec edcapab b. 

5 that is., the e y an be decrypted 

only by such devices, it. tor example, a content key is 
nc ypted using t (EK to a 

content compt i sertcryft tea 

using Iha - ' tt - s a ill ar i t ic vpted 

» content key and content are provided to devices, then 
only the devices having > specific capability selected 
t , \ ^k-y > « use the come 

[0230] As deer ibed above, the k j 
(KDC) produces an enabling key block (EKB) that can 

rs be de-ciypted only by devices having capability of play- 
ing back a specific content, en me basis of the capability 
management table. Thus, when a new category free is 
registered, if isneede c acinars capatt y intern «io i 
of the new category tree to be registered. The method 

?o of notification t> apafc h ) the new category tree 
registration process is describee below with reference 
to Fig. 45. 

[0231] Fig. 45 snows a capr-e y n on s* 
gaence performed when a new category tree is added 

» to the key distribution tree structure, 

[0232] An f category In) to be added 

to the tree structure issues a new regis! re; ion request to 
an upper-levei (parent) category tree (P-En), Each cat- 
^uty'ta a it o\np < c inpt. 'i-oprbiic 

30 key cryptography scheme When the new category tree 
issues the reg cat eqi st ran struts its public key 
to toe upper- level category free (P-En). 
[0233] Upon receiving the registration request, the 
upper-levei category tree (P-En) transfers the received 

35 f itJi ke\ f the ev " J ale ay i >. iH-En) Oi 
certificate authority (CA) to receive a pubfic key of the 
new (ct j) caicgoi or ving a s jrasurc of the CA. 
Tf o ibov oc-ed i ied in mutual an en i 

cation betw , , e (P n v ana 

io the new (child) category tree iN-Em 

[0234] If the authentication of the category free re- 
guesting for new registration * completed via the above 
f ocess heupt elcair ry tree 1 men. - \. st 
• ration of the new (cPid - , q^ -v 

free fht-hn) and h an sua is a node key assigned to Site 
new child) oa1 , i ? riitu ' , jcry tre 
[N -En). This node key corresponds to one of enopomf 
nodes of the upper-level category tree tP-En) . and also 
corresponds to 1 he lop rsode or a sub-root key of the new 

an (child) category tree tlvbln) 

[0235] Aft the-tiansmi r h 

node key, the new (child) category tree (N-Ert) bunds a 
tree str t m of he new i t - ,\ En a< 

sets the race ^t jtt r e 

aa structure. Furthermore, keys are sol at the respective 
nodes andleav j ti f-ai x. y b 

associ ed wi i tree is produced Oe the 

oSfterhand thet sper e\ sl« tege-ry ree(P £n')prerlt - 
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■ - eve category 

tree (P-En) such that an endpoim node, which was 
t nici cut \ t < o v as 

connected theteto. is feJiected in the sub-EKB. 
[G236] If the production of the sub-EKB including the 
node keys and Seat' keys of new (child) category tree 
(N-En) is competed, ttie new [child) category tree 
fJ En) transr t ! it uppe 

levef category fees (P-En). Furthermore, she new (child) 
calegoiytreeiN-£n!l:cns:i-;i;:i;hecap;5biiity:nioi-:'nation 
of devices managed by the category tree to the upper- 
level category free. 

[0237] Upon receMngtbe sub-EKB and theeapabiihy 
information from the now !. oh : id) category tree {N-Erg 
the upper-Sevei category tree (P-En) transfers the re- 
ceived sub- EKB and capability informalior: together vv;U- 
a renewed sub-EKB of the upper-level category tree 
{P-En) to the key distribution center (KDC), 
[0238] The* ei (KDC) registers the 

received sub-EKB ai tea i 1 a on of the cat 
egory t oc « < the tuto rrserst able - 5 

scrsoed above with reference 1o Fig. A3, thereby obtain- 
3 *t p - i c -i > Or t aba 

' r i - 1 (tt p r [I n t n the Key 

J -t ibi "ii t i \B in various 

manners. For example, the EKB can be produced such 

' •> 1 * c >! t I 1 f I t v t 

can decrypt the EK8, 

r J , • « s-finstion list] 

[0239] When an EKB is produced such that it can be 
decrypted ty org or r o y trees and 

the resultant EKB is provided such thai it can be used 
in common by devices belonging to the respective se- 
lected category trees, a method ot : using an EKB typo 

do* io l H ' i i j oi t .r* t jls CO i ! JSC it 
decrypt the EKB is described below. 
[0240] in the present embodiment, it the key distribu- 
tion center (KDC) receives an EKB issue request from 
an EKB requester, such as a content provicser. who 
want* u >- 1- ry u Mr a i < - * < h L t .<=<=•> c <■ n EKB 
iob i bv i er. an EKB type rdentrfi 

cation number h L isc boo n tr 

fc^ago ode i , . t eeo^^KSte 

essed (decrypted) by one or more category trees. 
[0241] in the i j EKB msecord- 

^ t > \ C. > > i -< ^ i f I t - c r- ; 

tress, set io i o t v o t< t iemih 

r ibe-din EKB type definition list 

te t s\ drs t L e iop-levi 

category entities i'tlCEj. which are category tree ma ti- 
gers, to produce their sub-EKB. if the stib-EKB"s pro- 
duced by the respective TLCE's are received, the key 
distribution center (KDC! combines the received 
s j* \ ~ s i in be processed by the 

category trees 



[0242] In ;he present embodiment .the EKB requester 
such as the content provider {CP} can select specific 
category trees on the basis of the EKB type definition 
lis a o the - 1 content pro 

s c ^C-jsJe* i, l i th r ■a 

the EKB type definition list the EKB requester requests 
the key distribution center (KDC} to issue an EKB that 
can be processed by the sr. acted spec he category tree 
fn response to the EKB request. Stic key distribution 

?e center (KDC 1 s > ri sntityei the se- 

lected category tree to issue a sub-EKB. The manage- 
ment entity e - - 3 e produces an 
EKB thai can b< rt sd tydev softha rir 
agement entity other rg an revoked devices and trerts- 

;5 i Jiti EKB the key distr juti i cen er 

(KDC). The Key distribution center (KDC) combines the 
one o? more sub-EKS's thereby producing an ekb that 
can be processed only by the category trees selected 
by f he EKS requester and provides the resultant EKB to 

au t Ov.K5 eguesre Uf i EKB it 'the key 

distribution center <KDCs, the EKB requester produces 
an erci yp-cd ke> : -'■ ed content that can be de- 
y by a key a re / processing Site 
EKB and distributes the resultant encrypted hey croon- 

[0243] First various entities in the system are de- 
scribed briefly. 

Key distribution center {KDC} 

[0244} A key distribution center (KDC) issues ena- 
bling key blocks (EKB) and manages an EKB type def- 
inition list associated with the Issued EKB's. 

[0245] A top ievai category entity (Ti.CE) is an entity 
which manages aeaieqoiy tree, sucn as a format ncider 
of a recording device, which manages a category tree. 
The TECE- manages the category tree, produces a 
s t Eko nalt i I p i d) by devices 

within the catec ;e by the Tt E n \ r 

vides the resultant sub-EK3 tc the key distribution cent- 
er (KDC). 

45 

EKB requester 

[0246] An EKB requester is. for example, an entity 

so content distribution (ECD) service various contents 
such as vid - ins Arcf tet 

< <a i pli t i " f a nolaerof astot 

age medium The content provider provides an encrypt- 
ii c tt n k^f r \ ^er |f 

ss a key Which an be a 1 , ocessing an EKB 

response to a request issued by the content provider. 
[0247] For example : the content provider (CP) en- 
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crypts a content using a root key described in the EKS 
P idut j l j for trey fist i ( )C >d i s 

tributes the re i i i ted content. The format 

1 iO, - S i ) ^ JE -iftCI V, t iq 

t -Ki" 5 onto me s if c - i 1i on 

thereof so thai a content encrypted using a root key of 
the EKB can be stored thereon. 

{TLCE arid category-based tree management) 

[0248] The , I tree management has 

beet already - e rejatiorsshi} 

between the top-level category entity (TLCE) anci the 
category tree i t m reference tc 3 4s 
[0249] As described above, each category is a set of 
devices having similar features Mote specifically, an ex- 
ample of a category is a se! ot devices produced by the 
same manufacturer Another example it; a set cf devices 
teaican deal wad a specTc encoding format in Rg. -6. 

[0250] In Fig. 46. a root tree at the top has a tree struc- 
ture hav it to ample t}l . r ,r no e eve ) 
Tap nodes of respective caiegoty bees are disposed at 
the bottom of the foe; free The category trees may oe 
relates to each other such mat a certain category tree- 
is highe it svg • c »te ee in the spe- 
cific example shown in Fig 45 category trees C and D 
are related to each other wherein the category tree C is 
a higher-level category ttee rotated to the category ;reo 
D at the tower level. 

[0251] Each category tree directly connected to the 
root tree at the top ts referred to as a top-level category 
trea. and an entity that manages a top-level category 
tree is referred to as atop-level category entity (TLCE). 
In the specific example shewn in Ftp 46, category trees 
A. 8. and C are top-level categories, and entities that 
no iqi thesr, < el c es at tor ie\ c c ; y 
entities (TLCE's). E- i iopdevei category entity (TLCE) 
ie besicatly responsible tor managing ali category trees 
tel d v. he top eve c 

ei category trees related to the top-level category tree, 
in the se Sic sx imps? shovvi in Rg at ti' CE thai 
manages the category tree C asse manages the catego- 
ry tree Q. tf there is another c a >goi ,< tree at a further 
lower level refated to the category tree D, the TLCE thai 
manages the category free C also manages the further 
lower-level category tree. However, another category 
ei f e I -hm- -u Mpe 

- . - t v ii I < it 'are «; »-i< it a hie bre 

eve! categoi - 1 to that sub cat 

egory entity. 

[0252] Ear : h uses a cor lent, seen ^.s a 

ig raj mppara assignee t y fee 

top-level category entity (TLCE) to a leaf of a certain 
tree, and tne device notes* some of keys assigned to 
nodes in a path treat tea; leaf to She root. A set oi node 
keys ) f cj t , i o tc *s a device node 

key (DNiK) set The number of Keys held by each eevice 



(the number of keys included In a ONK set; is deter- 
mined bythe top ie > y ffl CE) 
[0253] Fig. 47 shows the outline of processes per- 
formed amoi 'i :h is a key distti- 
s t «ion« it r{K0C).. a top-level i > \ 
and an EKB requester 

[0254] A key distribution center (KOC) 451 1 is includ- 
ed in a management entity 4510 of a free-based EKB 
distribution system The management entity 4510 fur- 
"c no it It ot , oertiiioate authority rCA) 4FC ?. thai , ites 
a signature on each EKB 

(0255) The key distribution center {KOC} 4511 mam 
- v roes such as food [cry trees 

me ey Jr 1 i <LC 4511 n i ges 

; 5 an EKB typ n v re cesei br ate 

and produces EKB's ~>- , . -m outy 'CA)4512 
writes a Signature on each EKB produced by the key 
distribution center (KOC) and issues a public key corre- 
sponding t a seca ke> * or ure is written 

ee for use it) verification of the signature 

[0256] An EKB requester 4620 requests the key dis- 
tribution center (KDC) to issue an EKB The EKB 
r ear. i s tot i ay be a coritei 1 ! w >c P ovk es 

a content-stored medium .seen as a CD or DVD on which 

25 e content is stored, & content provider {OF) who distrib- 
litalcor rag en censor who 

provides a license of a format of e st orage system such 
as a flash memory. 

[0257] Each EKS requester 4520 provides an EKB 

aa corresponding to & content, a medium, or a license for- 
mat such that a key needed in use oi the content, the 
medium, or the license format provided by EKB request- 
er can be extracted by processing the EKS. Each EKB 
is produced by Sx * - tei (KDC) 4611 

35 in response to an EKB request sett; to the key distribu- 
tion center (KDC) 4611 from the EKB requester 4620. 
(0258) if the EKB requestor 4520 receives an EKB is- 
sued in response to the EKB request sent to the key 
distribution cer.tei KO }^511 e EKB requests 5520 

*0 may provide the EKS to a media manufacturer 4540 
and/o i devii ' -> d may provide a 

medium or a device, 1:-: which the EKB is stored, to a 
t am act KB is pa 3 1 an be p -re 

essed by one or mora category trees. 

■or [0259] In the present system, hie EKB's may be pro- 
duced in various fashions and may ee used in various 
manners. For example, an EK3 may be produced sttch 
t at itcai 3Sf < jyapiuralip ofca 

egory trees (two or three category trees or a greater 

so number of category frees), or may be produced such 
that it can be processed only by one category tree. An 
EKB typo d t 1 s such various 

types of EKB's in the form of a list. The EKB type defi- 

S3 <ZC --< ' st wii oc desrnoed in 

fwiheide- atet e - 4520 can acquire 

the EKB yp^ tinit by issuing; request f r 

EKB type definition lie; to the Key distribution center 



28 



Eh 



EP12S3 739A1 



CDC) 45 W i tisr icwed, updated 

data is transmitted to the EKB requesters 4520 from the 
key dsstri&utfon center (KQC) 4511 . 
£0280] Asd<t e category en- 

lilies {TLCEs) 4P,30 are management ftniities of cate- 
gory trees d re ■ ■ ■ s.Eas h top- 
level category eaiiry (TLCE) 4630 manage;;; keys of s 
subtree ana a co espor > ii ?tn < 
respondents between -he devse ID and the device 
node key (DfcK) set. wnich is a set of node keys stored 
in each device for use in processing the EK8. The top* 
level category entity (7LC£ 45 Qs produces a de- 
vice node key (ONK) set to be stored in a device of a 
type managed &y the top-level category entity (TLCE} 
4530 and provides it to a manufacturer 4S5Q that pro- 

[0261] if the key distribution center iX.DC) 451 1 re- 
ceive;; an EKB request from the EKB requester 4530. 
the key distribution center (KDC) 45 1 f produces an EKB 
i ■ \c< tmdanes /. tf t ie EKB request For example, in a 
case where tm ; tin 

be processes by wo s • p ategory trees, 
•the key distribution center (KDC) 4511 requests those 
iwo lop-Seve; category entities (TLCE's) 4530 io issue 
their sub-EKB's. Upon receiving the sub- EKB request; 
each top-level category entity (TLCE) 4530 produces a 
sub-E-KB thai can be used by an authorised device wfth- 
in the category tree to acquire the root key and transmits 
the resultant sub-EKB !o the key distribution center 
(KDC) 4511. Oft the basis of the one or more sub-EKB* 
received from the TLCE's. the key distrbotson center 
(KDC) 451 1 produces an EKB, The process of produc- 
ing the EKB on the basis of the sub -EKB's will be de- 
scribed in detail later. 

[0252] The top-level category entires (TLCE's) 4530. 
as with the ek sthe ekb 

type definition lis by i t tor it to She key 

distribution center (KDC) 4511 
[0263] : 

>n center {KDC) 451 1 
io delete EKB type definition data associated with the 
•if. <v<. > ty (TLCE) 4530 frcrr the EKBtype 

definition list. For example, the delete request may 
specify thai an EKB type denned as can be shared by 
another category tree should be deleted from the list. In 
a case where a tree managed by She a top-level category 
entity (TLCE) 4530 is renewed, the top-level category 
site CE 03t - Oi-temA-s i t c i Mm 
key distribution center (KDC) 4511. The detailed proc- 
ess thereof wilt be described safer with reference to a 
flow chart. 

[0264] The I nanufacti in bedassi 

tred into two t fan * r , 

DUKE device manufactures 455" which produce devic- 
es r- whtct be <IK cot £ nd an 
EKB a i ' i a f the other type 
are DNK device manufactures 4353 winch produce de- 
vices in which only a device node key (DNK) set is 



stored. 

[02SS| Fig. 48 Illustrates, in the form of a bock dia- 
gram, examples ot configurations of the key distribution 
center (KDC), the EKB request, and the top-level cats- 
5 11 ' r Pig. 47 The key dts trtio i 

center (KDC) the EKE oo c 

egory entity {TLCE } ate n ;ss rg appa < 

tuses hav. ig ■< 

btlity which are constructed so as to serve as an EKB 

-o distribute apparatus, an EKB requesting apparatus, arte 
a category tree management apparatus, 
[0266J The info ot at s sing apparatus of each 
entity induces a cryptographic unit responsible for gen- 
eral cryptogam . process n mutual amnemttcatton with 

*s another entity and in data communication. The crypto- 
graphic unit includes a control unit for generally control- 
ling the cryptographic process associated wrth authen- 
tication, ertcry r Ar mei tain cm y 
of the cryptographic unit serves to store data such as 

ee key dam and lent 1 ec various proc 

eased such as mutual authentication, encryption,, and 
c x v tion Th t data Is usee tor example 
in mu ual au tei 1 ~t f e entity 

[0267] An i yr. ti m unit perfoi tss in d 3 a 

25 transmission using key data stored in the interns! mem- 
ory, authentication i m data verifi- 
cation, and random number generation. 
[0268J As for the informatic 1 
serving as the EKB requester, i: may also be configured 

■so such that a key is net gsnsrated by she EKS requester. 
In this case, components used to generate the key such 
as a random number generator, are not necessary. More 
specifically n i t 

apparatus serving as the EKB requester generates a 
35 roof key to be Included in an EKB and requests the key 
distribution center to generate the EKB so as to include 
the root key. the information processing apparatus has 
to include m> - u io root key However, 

in a case where the information processing apparatus 
<e serving us tee EKE c U Key o be 

included In the EKB. but requests the key distribution 
center iKOC) to produce the root key and further pro- 
mice the EKB including the root key produced by the 
key distribution center (KDC), the information process- 
es ing apparatus dees not need to include components 
mi iM )■- at L r as r et m , , ; ic t - )r 5t - 

the key. 

[0269] Because information such as an encryption 
key Is stored in the internal memory of the cryptographic 

■se unit, the internal memory should be constructed seen 
that an unauthorized access to tire memory Is prevertt- 
c d More spectfical i unit is conHg 

urad using an anu-tampermemcry termed o-l a semicon- 
ductor chip r: it t r ^ t ' t r i o> 

ss tema! access. 

mm Each entity includes, m addition io the crypto- 
graphic unit described above, a CPU (Central Process- 
ing Unit), a RAM (Random Access Memory), a ROM 
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(Read Only Memory}, an input unit. a display unit, a da- 
tabase interface, and a database. 
[0271] The CPU {Centra! Processing Unit), the RAM 
(Random Access Memory?, ana the ROM (Read Only 
Memory) form a control system of she entity The RArvf 
is used a main memory u sed by the CPU as a work area 
in various processes The ROM is used to store a start- 
ing program executed by the CPU. 
[0272] The database or storage means of each infor- 
mation processing apparatus stores data mar-aged by 
the entity For r si- ibution c uer 

(K.DC), management date associated with issued EKB's 
and the EKB type definition list are stored in as data- 
base, in the case of the top-level category entity (Ti.CE), 
nvi.ic.pe c it - i 1 s e or g a 3 < 

the category tree, seed as data indicating correspond- 
ence between I f h LC E and 
the device node trey ;ONKi sets. Is stored in the dads, 
base, fn the EKS requester, the database stores man- 
agement data indicating the correspondence between 
contents provided by the EK8 requester and the EKB's. 
used to th< cot J i m iic io 
the devices to which the co uteres ate provided. It Is de- 
sirable -hat the EKB type definition lis! be stored in an 
accessible manner also n the information processing 
af pa , tuses se * , t i r end the top 
level category entity (TLCE). Alternatively, the EKB type 
definition tier may ee stored at a Web site that is man- 
aged by the key distribution center (KDC) and thai catt 
be eases f sfer a the Of i vt 
egoiy entity (TLCE). 

[0273] As described earlier, devices use a device 
nod'" key DfvK) set whs f e r 

EKB. An example of a device node key (DNK) set stored 
in a device is described below with reference to Fig. «9. 
in Fig. 49, atree nodes a category free, in which leaves 
related to dcvti ~ , • " to 



. ere 



y be 



[0274] Basi 



wide 



;ch c 



such as a recording/ 
i memory in which 
a have been stored 



(EKB type definition list; 

[0276] Distribution of an EKS on a category basis has 
already beer, described. In a case where an EKB for 
common use by a plurality of categories is issued, that 
is. in a case w I to processed 

by devices belonging to different category trees, there 
is s . oss bilitt t oe prnoif ns oo ji 
[0277] For example, let usasseme herein that two dif- 
ferent companies A and B have a license of a format of 



category entity fglCE; The category tree « ceneeoted 
to a root t c - t jf . j c krex im 

pie; locales at a higher level. Tech device holds node 
keys assigned to nodes in a pare from the device id a 
higher level, as shewn in Tip 4S These keys are held 
as a device node key (DNK) set tnthe device so thai an 
EKB can be decrypted using the device node key (DNK) 



are relatedto leaves, a vendor of soft ass re package may- 
be assigned to ait leaves. The assignment of devices is 
determined by the TLCE. That is. the TlCc determines 
which device is assigned to which fees and which cede 
keys are assigned to which device. 
[0275] The top-level category entity (TLCE) may be a 
device supplier (manufacturer), f s case ihs tec lev- 
t c go y er t Jdev e < ffer 

storing a device i ' (DN! 1 - rein Tha is it 



orage : 



a port- 



able flash memory a manufacture!- having a license of 
a medium (portable flash memory) is an entity of a fop 
it ve oateqcey; and ca;eg< • 3edbyc0m.pt 

r es A and B r h is; a; e. love elov* 1 stop 

leva; category Let us farther assume that. m order that 
r patibte with each 
other arrd car. use varices contents in common, an EKB 
tha an be; ces belonging 

toanyoru < of companies A &nd B 

isproauc da .at / frit it mce fee 

(KOC). 

[0278] mason if secrecy of a device nods 

key (DNK) sett mi vicebv n mo ca;eg ytree 
managed by the company A is broken, there is a possi- 
bility that alt already-distributed contents, which can be 
used by devices of both companies A and B by using 
that device nods key (DNK) set, may oe used In an un- 
authorized manner. To prevent such unauthorized use. 
it is needed to renew the EKB for evocation. However, 
in this case, because the EKB has been produced such 
that it can be u dm oca no e 'legacy trees 



viihf 



npar 



be performed not cotv for the ft y ree ossoclated 
with compam vbutforbol associ edv/tth 

companies A and B. 

[027$] As. described above, in the ease where an EKB 
is di.elribuied such tha; if can be usea in common by a 
plurality of c 3 - > y ;rei eno* of the EKB and ov 



iOt Oi 



ft for r 



EKB As a result, company B is mriuenoed by a category 
tree other than the category tree managed by company 
B ~ns rest ts. i!)3 rmtease in ocmpl' dry rrtanagt 
ment process. 

[0280] Hereto, a technique of serving the above prob- 
lem is disclosed boicw Tha; is. me right of giving per- 
mission oi Si. V) an EKB usable m common by a > 
rattty 0; categoi - h< active category 

entities that n nago th tegot-cs esslng of an EKB 



d by an i 



a the 



entity can ac.ee > oh may occt 

« devices of a category of an entity as a result of occur- 
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fence of a prot J et j to another cat- 

1 /cannot ac- 
cept the risk, th is s ue or use of 

[0281] In this method, various kinds of EKB's are pro- 
duced and used. For » - ' be such an 
EKB that can be processed by two or three category 
trees, or a greater number of category trees, bet another 
EKB may be suck en EKB thai een be processed only 
by a single category ires An EKS type definition list is 
used to describe such various types of EKB's In the form 
of a list. Ftp. 50 shews an example of en EKB type def- 
inition fist The EKB type definition its: is stored end man- 
aged b n , r r (KDC ie EKB type 
definition list is provided to. or can oe accessed by EKB 
requesters ot TLCE's, as required. 
[0282] As shewn in • g so the EKB type definition 

t re-' fcL of ~' d iti tn number 

"node", and "description". The "EKB type identification 
riunitier" Is a not-fit fylngas it at 

f Kl ^ list* J in she EKB! finitiot $1 I; the icier i 
f ioation number is different, then the category fee or the 
combination of category trees that allowed to process 
!he EKB become different. 

[0283] The "node' 1 field is used to describe the top- 
node SD of category trees to which a specific EKS cats 
be applied. For example, for an EKB of an EKB type 
identification number of 1 , the top-node ID of a category 
i oc - v f 1 Memory Stick) is assigned 
On the other hand, for an EKB of a row of sn EKB type 
Identification camber cf 3. the top-ncde 10 of the cate- 
gory free associated with the MS (Memory Stick) and 
he top-nod facareg I with Sart 

assigned. 

[0284] The field of "description" is used to store de- 
scriptions ef vaeeus types EKB's lister; m the EKB typo 
definition Its;. For example, the decs in the "description" 
field for the EKB of the EKB type identification number 
of 1 indicates that this EKBtsforfheMS (Memory Stick), 
and the data in the "description- 1 field for the EK3 of the 
EKB type identification n umber ef 3 indicates that this 
EKS can be used in common by category trees of the 
MS (Memory Stick) and the PHS 
[0285] The EKB type definition list shown in Fig. 50 is 
managed by the key distribution center ;KDC) An entity 
such as a con s j i r i < 

enet i cf tt men. it y , ir -m ryf 
ed content enc > t a key thai can be e to 

tn f wt^ q ' J - - * < '- f ' t e E'.P ypt d- 
imtion list shown in Rg. 50, an EKS Syne that can be 
processed by a category :nciudmg devices to which the 
>nten rjoinq plied. Tut item crevice! 

then equest ' en satet & DC to pre 

:. ig bKB type 

identification number. 

[0286] When various types of EKB's are registered in 
the EKB type definition -t reeisfratton should be per- 
jrmed with * t ategory enti - 



ties {TLCE's} of the category trees to be registered. 
When, for example, TLCE-A of the category free refused 
issue of an EKB shared by another category, an EKB 

5 other category is noWegistereti in the EKB type cieflni- 

[0287] in a case where allTLCEA of the category tree 
A, TLCE-8 of the category tree B. and TLCE-C ol the 
categoiy tree C. have approved issue of an EKS lor 

« common use, an EKB type that can be processed in 
remmon by re jcry trees egietered in 

the EKB type definition list. Thereafter a content provid- 
er can specify tne EKB iype identification number as- 
signed to that EKB type and can request the key distri- 

» button center (KDC> to issue a corresponding EKB. 
[0288] * ■ , , >*EKBiyooamj 

a correspon - \ c number In the 

EKB type definition list, tne following process is re- 
quired. 

20 

(1 s Alt TLCE's, which manage calories relating to 
an E>- B type having EKB ty dent 
number to be registered, send an EKB type regis- 
tration request to the key die .for emu m ic) 
2* (2) The key distribution center i'KDG} confirms that 
theEKBt\o eg ifiort re< at lavcbeenre 
ceived from aii top-level category entities (TLCE's; 
of category trees wh*h will be capable of process- 
ing an EKB of the EKB type requested to be regis- 
tered. After the confirmation, the Key distribution 
center (KDC; defines a new EKB type identification 
numberforthe EKB type and adds it to the EKB type 
definition list 

(3) The key disc Ibmler, center (KDC) sends en EKB 
3s type definition list renewal notification to aii TLCE's 
and EKB requesters to notify that the EKB type def- 
inition list has been renewed. 

[0289] The EKB type definition fist is opened lor use 
•*e ty ill TLCE EKE i oeesters by sending if to ail 
TLCE's and EKB requesters or by putting it at a Web 
site. Thus. TLCE's and EKB requesters can acquire 
1 i 1 /[ form n descr n the newest EKS typ 
definition list. 

45 

(EKB type registration) 

[0290] A process performed by the key distribution 
center (KDC) before registering a new EKB type in lbs 
so EKB t> o 1 1 s v t t erei 

to Rg. 51 First, the key distribution center {KDC) re- 
ceives tr EKB ty iti reqi from an TLCE 
that wants to register a new EKB type (S101 ). The EKB 
reg i < t i '~ ! J L i 1 ctr ~< s i ie 
scriptione he number of c ' ho d be able 
to use frs common Ihs EKB to be registered. The key 
distribution ceniei (KDC) determines whether as many 
sim at EKr t iiQi - sthe numberof 
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categories des< 1 h< * s e been received 
frcn TLCE's {SI 02}. if arsd only if as many EKB type 
: ts as the numbs? of categc ies de 

s t bed it- m s # 3 from T CE's 

Ihekeydistt - H s {he new EKB 

type in the Ei > - i orciance wstl 

the request Tnoke i KOQ perform 

a iisf renewal process and issues a list renewal notifica- 
tion (8103) Th£> renewal notification is sent to ail TLCE's 
and EKB requesters. 

[0291] As descried above, the key distribution center 
(KDC) performs regfcU ation of & new EKB type identifier 
into be EKE r » proval of 

the registration « be r jbtai rdfrom til category en- 
tities which manage the category trees specified as cat- 
egory trees which should be able to proeese the EKB 
type to be registered. 

[0292] in the above process, mutosi authonttcaiiors 
and encryption oi transm .$ --• - »t , rr per ormed as 
require irt - t 

center (KDC; ana TLCE's or £K8 requesters. Further- 
more, encryption of other messages, writing of signa- 
ture, and data verification may also be performed, in a 
case where authentication or cryptographic communi- 
cation ts performed usrng tne public key cryptographic 
technology It ts required that entitles already have their 
public keys. 

(Revocation of an EKB type) 

[0293] When :t is needed to revoke ai devices belong- 
ing to a certain category, the top-level category entity 
{TLCS) Issues a request for revocation of EKB types as- 
sociated with the category to the hey distribution center 
(KDC). Furtherrrwe. when a certain service is going to 
be terminated or when there is some reason, the top- 
level category entity (TLCE) may issue a request for rev- 
ocation of an EKB tvpc from the present registration to 
the KDC. 

[0294] The process of revocation of an EKB type is 
describees beiow with relereiiee to a flowchart shown in 
f-g r ? r -e * - KDCHeceives 
an EKB type revocation request from an TLCE that 
wants 

ItOR center (KDC) receives the EKB type revocation re- 
quest from the TLCE the kn-y dlstrirttrfion center {KDC} 
confirms that the issuer of the request ts the TECS that 
manages the category associated wire too EKB type re- 
quested to be revoked. After confirmation. she key dis- 
tribution center (KDC) revokes, from the EK8 iype def- 
inition list the EKB type identification number corre 
spondinglotfie? 3 types \ t EKB type ev 

ocation request, and performs renewal of the EK8 type 
definition hst. Thereafter, the key distribution center 
(KDC) issues a fist renewal notification {S202).fli© re- 
newal notification ;s sent to ail TLCP* and EKB request- 
ers 

[0295] As described eat it n-n renter 



(KDC)pet'ot - or dentifte toy 

isteredin fhs EKB fype definition list, if and only if a rev- 
ocation reque . ie of category 
entitie;; managing one or mere category trees selected 

s as category tr< - f i > r>n the basis of 

an EKB type requested to be revoked, fn this case, ap- 
proval or the other category entities is not needed 
{0296] In the above process, mutual authentication 
and encryption of transmission data are performed, as 

-c required, in commut > ; y distribution 

center {KDC} end TLCE's or EKB requesters. Further- 
mcre. encryption of other messages, writing of signa- 
t rt and data venfioat rrformed. in a 

case where euthemica ? aphfc communi- 

■s cation is per - rd a i the { xey cryptographic 
technology, it is required that entities alteady have thee 
public keys. 

{EKB type definition list renewal notification) 

20 

{0297] For example, in a erase where, in a certain cat- 
egory t ( e the TLCE m i'.n that < flegory free has 
pt rfc t led -' t sotting rr; a change " e 

state of Pie tree, such as revocation or a device or a 

2* change in a device node Key {ONK) set stored In a cer- 
tain device Inti It i i r i r ey (ONK) set, the 
TLCE has to notify fhs EKB requesters or TLCE's using 
EKBs associated with that device of the fact that the 
process has beers performed. 

30 [0298} When revocation of a device has been per- 
formed, if a notification of the revocation is not sent, a 
content provider (CP) may use an old EKB In transmis- 
sion of an encrypted consent. The old EKB can be proc- 
essed (decrypted) even by the revoked device, and thus 

as p o it i t,' i ti re it i i >< Mjffhtu sr t it 

is cc if m od t a c is< \ v a tode hey (ONK) 

set has been t j wed with Ih 

t ew one - L , I and a device has the new 

DNK. However it a content provider does not use an 

*o EKB in which the new DNK is reflected, a device having 
hie new DNK cannot process (decrypt') the EKB and 
thus cannot access the content. 
{0299] To avoid anon a problem, a TLCE has to send 
o tree changer ; on to the \ listribuuon center 

-ar rKDC) when one ot changes described below occurs 

A change n a tag p a EKB performed are 
sportse to ■■evocation of a device 
A change in a value of a DNK set stored in at least 
■St.- one device, performed in response to renewal of a 
device node key {DNK) set 

[0300} The tree change nodi matron includes informs- 
fion mdtcot tg an EKB tv > > on r umber io be 
ss changed it tr yp« if rmatlot id 

eating a category associated with that EKB type iderili- 
t osti >n number, and inf i ig what has 

Ciirredpfor exanipif i < i g that revocation or ONK 
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renews! has been performed. 
[0301] The process of EKB type definition iisf renewal 
V ! rMI C 3d C rsnee to a flow 

chart shown in R«j S3. First, she key distribution center 
(KDC) receives a tree change notification from a TLCE 
(S30 D.upon receiving the tree change notification from 
the TLCE. the key distribution center {KDC) extracts an 
EK8 ivps Identification number associated with the cat- 
egory from the EKB type definition list, and sends an 
EKB type definition list renewed notification Jo at! TLCE's 
a i - 3 e i' hange {re\ 

o atici Df i <.i i j j J - d wt t 

EKB type irfer bt s influefseed by the 

change, in the above process, mutual authentication 
arid < ncryp " i of t s • t i r ?rme 1 ss 

: : CE's or £KB requesters. Further- 
more, encryption of otter messages, writing of signa- 
ture, and data verification may aiso be performed, in a 
case where authentication or cryptographs communi- 
cation is pcttornod us ' 5 1 i f jcI c k- ^ r> \, ji f nu 
technology, it is required that entities already have their 
public keys. 

(EKB type definition fist request) 

[O302J in order to obtain * newest version of EKB type 
definition list, a top-fevei category eftKy (TLCE), a sub- 
category entity (SCE) other than the TLCE, or an EKB 
requester such as a content provider may sena a ra- 
pt et ition t to toe key distt b 
tion center (KDC). En response So She request, the key 
distribution center (KDC) returns the newest version of 
EKB type definition list to toe requester. 
£0303] The EKB type definition iist request process is 
described oetow with reference to a flow chart shown in 
Fig. 64. First, the key distribution center (KDC) receives 
a T ErB a -ll> egory 
nnt Ei' : -rn < >4 1 1 J\ cei a, t a 

EKB type definition iist. the Key distribution center (KDC) 
extracts the newest version of EKB type definition tie! 
and transmits it to the entity which has issued the re- 
quest in the above process, mutual authentication and 
encryption ot transmission data are performed as re- 
center (KDC) and TLCE's. sub-category enfs 1 1 
requesters Furthermore, encryption of other messag- 
es, writing c etg jrs. an > , t cation may a! sc 
be performed to a casta where authentication or cryp- 
tographic communication is performed using the public 
cy ryp jr ip ay squit tl i c hies 

aiready have their putoic keys. 

(Issue of an EKB) 

[0304] An EKB is issued in response to an EKB re- 
quest received hem at ii <am 
pies of EKB requestors are listed below 



64 

Jaj Content pr oi i » ties a confer 

stored medium such as a CD or DVD, 
M Content p a* tatj . sctronic content 
distribution {ECU} service. 
s fcj Holder of a storage system format 

t:f:c EKB requester is an entity that provides a serv- 
ice, a medium : or a dewce in which t form? 
can be used by acquiring a key by decrypting an EKB. 
-o [030i?3 ( srs describe 
in jet can be classified info two types as described oeiow 

[( 1 Format I e rie --it r oviees an -ire: re< ft <B 
to a manufacturer of a storage medium according 

■ s to a format In which the EKB is stereo info the stor- 
age medium when it is produced. 
\c2] Eon at holder that p be . acquir I 
to a ' ) ant -eh et c cc e q s - otdir 
to a format in which she EKB is stored into the re- 

20 cording device when a is produced. 

[0306] me EKB issue process ts described below. 

(1) Production ot a content key 

[0307] First, an EKB requester such as a content pro- 
vider produces a consent key to be used in conjunction 
w o n cents ' Jevtcemran sdiui the EKB a 
provides. 

■r« [03085 Per example, in ihs case where the EKB re- 
quester is 

{ale content provider (CPi mat provides a content- 
stored medlem such as a CD or DVD, or 
as fhj a content provider i ha: provides electronic con- 
tent distribution (EGO) service, 

the produced content Key is used to protect the content 
stored on the medium or protect the content during the 
« i ;cc . nt r i l CD) s< rviee 

[0309] On the other fiend, when the EKB requester is 

jet t a formal holder that provides an acquired EKB 
to a manufacturer of a storage medium according 
-■'S to A format ;n which the EKB is stored into the stor- 
age medium when it s < ^tt nt ki y is 
used to protect the content stored on the medium 

[0310] In the case where the EKB request ei is 

sc 

[c2) a format holder that provides an acquired EKB 
to a rnsnt turer ot a recc q < 
to a format in which the EKB is stored into the re- 
cording device when if is produced, the content key 
ss is used to protect the content stored using the re- 
cording device, 

{0311] The mechanism, such as an cryptographic at 
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gorithrri, of prof c\ conten us ig tha content ksy 
s oh format 

(?) Production ol a root ksy 

[0312] I he oi key that 

can be extractc }tbe EKE Mtarnat vsiy 

ecooi key J from the key cistrteut r 

center (KOC} instead of producing ft. The root ksy is 
used to protect (encrypt) the content Key. The mecha- 
nism, such as an cryptographic algorithm, of protecting 
the content key using trie root key may be determined 

biti ly to r, or format. 

(3) Request for issue of an EKB 

[0313] The EK8 requester sends art EKB issue re- 
quest to the key disirfcotron center {KDC; 
[0314] The EKB issue request includes information In- 
dicating the root key and information specifying one of 
EKB ty x foot r rfie numbers rests 
'ii- j tr list, to indicate a c i 
device to winch the too; ksy is to be transmitted using 
ihe EKB. On the basis of the EKB type definition list 
stored In the storage medium of the EKB requester, or 
on the basis of -he EKB typo definition lis; acquired from 
a site on a n \- - t 

type associated with a category mcfu&ng fee device to 
whion service such as providing of a content is to be 

rec sf or 'hen isc fef.o in© key di 
fribulton center (KDC) an EKB issue request including 
information specifying the EKB type identification 
number Int i. i 

(4) Issue of EKB 

[0315] in accordance with me EKB issue request re- 
ceived from tt <£ tribotiot cat 
e (KDC arod es an KS such n e EKB Includes 
the root key if the root key is not included in the EKB 
issue request However, if the EKB issue request does 
not include She root key and it She EKB issue request 
K.I cies are fon of the roof i ey th - V -sy 
d si ibr >n * i a ey wo t 

- if FKR is transmitted io the EKS requester, 
[Q31S] The EKB produced »y me key distribution cent- 
er (KDC) can be of a type mat can be processed only 
by a stogie category tree or of a ;ype that can be proc- 
essed by a plurality oi category frees. On fhe basis of 

- Ekb vo * n — < d rti t. d 

ssi e \ est , DC) i xt a fs 

a category associated mh toe EKB type identification 
number, that :s. extracts the node described in the node 
field, corresponding to the EKB type Identification 

umber, of the Vf fimtion list, ir ©node field 
top norf< * tn , bed The entity 

managing -not category can Be known from this node 



!D, On the bas is t - s it ib utien cer 

er (KDC) sends 3 - est to the lop avs 

category entity (TiCb! category "he 

sub-EK8 issue equest duties o lotion ndicath 5 

s the root key i 1 e category 

J0317] if the TLCE receives She sub- EKB issue re- 
quest from the key distribution center (KDC), the TLCE 
produces a sub- EKB such that devices ;n on -revoked 
devices) within specified one or more categories can ft- 

» naily extract the root key from the sud-EKB, and the 
TLCE transmits the resuiiant sub- EKB to the key distri- 
bution center (KDC). 

[0318} The sob-EKB produced by the lop-feve; cate- 
gory ci 'v TLCE) f aim v so that of 
'■'s> a usual EKB (Fig. 6) exceptthat the version number and 
her irifom iion for v< - on fv sion n > va « ) 
are i it l J he a! * /ptio a big r 
lev* lodekey i j , f key ot a io* >t 
leva icdekeydi , 1 i b-EKB ti oka, sngth 
oo and me > cd<> ft ay be its f dete n n 1 fot each 
TLCE (format holder) mat produces the sub- EKB. This 
ma <. l ' t y scheme 
differently from the other formats. A default encryption 
t t f a i me ' d mint or ex imp o the Sri- 
25 pie-DES according to FSPB46-2 may be employed as 
thedefaufte it laithetdple "olS 
algorithm is employed if TL.CE's do not object to it in 

the case where each TLCE arbitrarily determines the 
on aigosit , > n u r KBs 

on prod d rentTLCE'sa ombined fogefher in- 
to a single EKB, each (encrypted) key is rewritten into 
data with a predetermined length such as 18 bytes so 
that the resultant combined EK8 can be usee by any 
device managed by any TLCE. By property determining 
35 the data formal of the combined EKB used in common 
in a plurality of categor y trees, ft becomes possible for 
any device it . oc ee to cor roc y determine 
toe location of the key data io be used For example, if 
each Key data in the EKB is represented In 1 6 bytes. She 
■to device can se< rti y extract fhe correct key data -that 
can be proeesse by tee devlei r« n finaity acquire 
the root key. 

[0319] That is, m accordance wifh the data forma! of 
the combined EKB produced from a piurailty of 

45 sub-EK8's, a plurality of key data are stored m iixed- 
tcnqlh daia Ec ds T let i t if enabitrq key 
bfocks (suo-EKB's) having different key data lengths ac- 
cording to diffe ■ imsa binsd inso a sin- 
gle- EK3, even it a plijratliy ot encrypted key data of 

■SO - jf f }\ - ICS wit fo 

tions of the nodes or leaves in the key tree, if is possibie 
to correctly extract necessary Key data in accordance 
>, 1 i rf in the EKB. Such a combin* 

EKB may be distributed to users (devices) by means of 
as transmission via a network or by providing a storage rnc ■ 
dium on which the EKB is stored. 
[03205 k^, ostui rrti-s 
or combines the sub- EKB's received from TLCE s as re- 
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formation The i 3 is ransmittsd 

to < E v' t , ,n g the public 

key vr ju<at ) iay t icato satt s ■ 

iiy (CA) other fhars she key distributors center (KDC) 
[0321] fhep ' I J - c m- 

l H i ifO l I Cj - i 3d Sfjth C 8 

ence to Fig. 55. Fig. 55 snows a sub-EKB-(A), which is 
produced by a TLCE of a category tree A {5100) in the 
proct / »<xs -ed - -■hint t nbe jsed 

in common by coin category trees A (St 00) and B 
f f ducedsuehihafeachde 
. • e oo! 

key. Although in the previous, examples the root nee 
5300 has an 8-lavel tree structure, a 2-isvel tree struc- 
ture is assumed in tho present example for the purpose 
of simplicity. 

[03223 to Fig, 56. each underlined 3-dlgit number 
|XXX; in the free structure denotes a lag (e. 1, r) its the 
EKB. As described -n m (Figs. 26 and £7). e ;:■ 1 e 
notes that there is data, end e - 0 denoles that there is 
no data. T 1 denotes tnat there is no branch extending 
to left, and 1 •« 0 denotes that there is a branch extending 
lo left, r 1 denotes ihai there is no branch extending 
to right, and r - 0 denotes that there is a branch extend- 
ing to right. 

[0323] In order fo produce the sub-EKB-{A} such that 
att devices (leaves) in the category tree A (51 00) snewn 
in Fig, 55 can extract the toot key, the sub-EKB-(A) 
■ not i include data produced by at 1 l 

using a node key heid in common by all leaves. Each 
device has node keys in its path in the device node key 
(DNKi region 51 20 of the cmegory tree A ;»i oo shown 
in Fig, 55. Therefore, if the root key Is encrypted using 
a node key at the top in the DNK region 5120, (hers the 

j les me aoove require! et 

[0324] Thu- tf iTI.CEe fr lit jorylree a (5100) 
produces the sub-EKB-- A; such tnat its tag pan consists 
of 101 Oil On m, and 11 and its k / part cons ts 
of Enc{K010, Kroot) and Enc(K011. Kroct). The TLCE 
of the category tree A {5100) transmits the resultant 
sub-EKB-(A) to the key distribution center (KDC) 
[0325] A sub-EKB-(B) produced by me category tree 
o to " i with reference to Fig. 56. 

In order io produce ihe sub-EKB-;B) such thai ail devic- 
os il saves ) in the category pcan . < tract the 

yO f K \ % I } t l l 

by encrypting :! t l I held in corn 

mo.o try all leaves Each device has nod;; keys in its path 
- e device t ) Oof the cats 

gory tree B (5200) shown in Fig. 56, Therefore, it the 
root key is encrypted using a node key at the top in the 
,V f,ir " v i M si H -KB 3 - fee 
above requirement. 

[0326] Thus, the tlce of tno category tree B (5200) 
produces the- sui: ! '- E ;B) sue! I iO ag pari consists 
of 110, 010, 000, 111, and ill, and its key pan consists 
ot EnctXHO. Kroot) and Ene(KH1, Kroot;. The TLCE of 



the category tree 8 (5200) transmits the resultant 
sub~£KB-(3) to tt; tribi.it "or (KDC). 

[0327] The k , >C) produces a 

combined EK3 from the sub-EK3-{A) and the 

« sub-£K8-(3) produced by the respective TLCE's. The 
process c f c : i I t KB is described 
below with reference to Fig 57 The combined EKB is 
p oducedsueh hataliaevici 2th steg > 

tree A (SI 00) a t jingle the c eg« v 

to tree B (5200) can extract the root key f rom the E KB. Ba- 
sically the combined EKB can be produced by combin- 
ing I lesegoer ei, <fj , , - ed ;-EK8's 
into a single sequence ot key data such tnat the loca- 
tor of kci data i h i pond to le c 

w cations in the tree from top to bottom and from left to 
right. 

[0328] T tea the tag part of the combined EKB be- 
comes 100. 010.010. 000, 000, 111. 111,111. Ill, and 
the key part becomes EncfKOiO, Kroot), EncfKOtt, 

a> Kroot), EnctKi 1 0, Kroot). Enc(K111 . Kroot). 8 each key 
dala in the key pad is represented by, tor example. IS 
bytes, as described above, then each device in the cat- 
< j< t, > - a aliens o! the k ev da a hat 

can is- o < t d thus can ox' tc v 

2» the root key from the combined EK8. 
[0320] tr 

ingthe stib-EKB's ami the combined EKS. it is assumed 
t ig treed -s not include a revoked de- 
vice. The process of producing sttb-EKB's and a corn- 
blned EKB is described below for the case where there 
is a revoked device, 

[0330} Fig. 58 shows the process ei producing a 
sub-EKB when she category tree A (5100) includes a 
revoked device (Ot 101} 5150, in this case, ihe sub-EKB 

3s is produced as a sub-EKB- (A 1 ) that cannot bop recessed 
by the revoked device (011 01) 5150 but can be prob- 
es sdbyth A isheca-eg ryti ;cA 5 00) 
[033!] It: tiiis specific example, the sub-EKB is pro- 
duced by selecting key d.a a aio no the paths denoted by 

*0 bold lines in Fig. 58. Thus, the sob-EKB-(A') produced 
by the TLCE of the category tree A (5100) includes a 
tag part consisting of 101.010. 000, 111,000,001, 111, 
and 111. ana a key part consisting of Bnc;K0 10, Kroot), 
Ersc{K01 11, Kroot). and Enc(K01 1 00, Kroot), The TLCE 

■■a ni the category Pes A icdOOi transmits She resultant 
s it TKfS {/mm -e ^y - V Jttir )C-' - v"k,. 
J0332] The key disinbution center ( KOC) produces a 
combined EKB from the sub-EKB-(A : j and a 
siib-EKB-(B) received front the TLCE of the category 

so tree B (5200) {Fig. 56). The process of producing the 
combined EK A'witi reference to F q 

59 Tt i r L i | ~i t evic es 

belonging to the category tree A (5100) except for ihe 
revoked device (01101)5150 and al! devices belonging 

ss iotnec rog r j* ' i seer ion cat e» 

tract the root key from the EKB. Basically, the combined 
EKS csn be o i , s« gc > r -ia ot 

key data of the received sub-EKB's into a single so- 
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quenee o ; key data such that the focafcot's of key date 
'. is :n the free 

trow top tc con-: u j ron left to r ght 
£0333] Thus, the tag part of the combines! £ KB consist 
of 100, 01 0, 010, 000, 000, m, 000, 111,111,001,111, 
and 111, and tf (K010, Kroot), 

EnciK 10 K t Kill - aol} F- IK 111 Kroot), 

and EnctKOHOO KreoPi.TEsccmnbrned EKB aiiows ex- 
traction of the soot key, for at! devices belonging to the 
category tree A (SIDO.) except for the revoked device 
(OH on £5150 and tor all devices belong to me category 
tree 3 (5200) without exception. 

(5) Use of EK8 

[0334] The EK8 produced by the key dish button cent- 
er [KOC)v:3 the i sees de , daft e js transmitted 
to the EKB requester, 

[0335] For example, in the case where trie EKB re- 
quester is 

\o aco- st provides a content- 

stored medium sects as a CD or DVD. or 
(h| a content Key is encrypted using the root key that 
and a content is en- 
crypted using ttie content key and distributed. The 
litem < er; ;., e us nl\ by act! 

devices which belong to the specific category and 
thus can process the EKB. 

[0336] On the other nana, when the EKB requester fs 

£ci.| a format holder that provides an acquired EK8 
to a manufacturer of a storage medium ao • 
to a forma; in whims the EKB is stored into the stor- 
age medium when it is produced, the produced EKB 
ana ft - < i < h oot key 

are provided to the storage memum manufacturer, 
and storage media en which the EKB and the eon- 
tent key encrypted using the root key are stored are 
produced by tne storage medium manufacturer or 
the EKB requester rise if, arm the produced storage 

ni cn n.is ise ^ r lvhn it 

which belong to the specie category tree and thus 

/pi - 1 . ' ' .- ed on the storage me 
drum in the operation recording/reproducing the 



[0337] In the case where the EKB requester is 

(c2i a format holder mat provides an acquired EKB 
to a manufacturer of a recording device according 
to a format in whie r tf B stored ir e the re- 
cording /see wl :-n it ;mdcced the j , oc 
EKB arsd i stent h led using 

kev a " y mamrfac 
Surer a O '-a r i r ' i oc EKE and 



the eorste 1 'jot key ate 

stored ere produced by the recording device man ■ 
ufacturer or the EKB requester iteeif, and the pro- 
duced reeordisig devices are distributed, in this 

category tree and thus can process the EKB can 
perform encryption and decryption using She EKB 
in the coeratior eci 1 icing the cor 
tent, 

m 

{0338} in tho soove process, mutual authentication 
and e option c J f - t erfor i a -a 

required, in comr r n nt 5$ "KR t 

ouesters t to - j ter(KDC),an<JTLCE's. 

J s Furthermore encryption of < s sr nessages writing of 
signature, .and data verification may also be performed 
in a case 

municatfon is performed using the public key crypto- 
graphic technology, it is required that entities already 
so have their pubhc keys. 

(Producing an EK.3 by simply combfctiiig sufc-EKS's) 

[0339] In the above-described process of producing 
25 e combines EKB from sub-EKB's ; a sequence ot on- 
crypted key data included in the respective sub-EKB's 
s , i i 1 1 o,a ns of key eat nine 
respond So the icca s thewhois es 
from top to bottom, A technique of producing a com- 
■so blned EKB by simpty combining sub- EKB's produced by 
ri mo a sing EKB wit i ui pet 

s cat s described below 
[0340] Fig. 80 shows an exampie of a combined EKB 
6000 produced by simply combining sub-EKB's pre- 
ss duced by TLCE's of category trees into a single EKB 
without performing rearrangement. 
[0341] In the process of Issuing art EK8 ; the key dis- 
tribution center (KDC) series a sub- EKB production re- 
quest to TLCE's which are entities managing category 
*0 trees corresponding to an EKB type identification 
imber an list >u iU * » an 

EKB requester Suh-EK8 : s sno, 6120 and so on m- 

ivrte from Tt.GE's an - tit sg r ir 

s single EH - 'SdEKfj In or- 

u; ecific category 

can seleci, from the combined EKB, a sub-EKB which 
est spond > J 1 a belongs 

to and thus o t device, data 

m a 1 sods ID) 6112 indicating the c te 

gory corresponding to each suto-EKB are added. 
[0342] That is hi carbine < ides t addition 
to the selected sub-EKB's, She data indicating the data 
[eng resp « s rage i it 

ss node ID'S s. < tion data, of the 

respective category tress corresponding to the 
sub-EKB's Furthermore, information indicating the 
number c sut d if the combined EK3 is 
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described in th< t - - 1 etmore. a signa- 
ture 6800 is produced (by a ossificate authority ortl» 
, rda kV:t , 1 i tl tuned 
EKB and added thereto. 

[0343] Fig 61 shows a combined EKB produced in 
the meaner described above wan reference to Fig. 57. 
A sub- EKB described in a sub- EKB field 8110 is exactly 
e same as the sub-£K3-iA by the XE of 

the category bee A described above with reference s0 
Fig 68. wherein me tag pan thereof consists of 101. 
010. 000, ill . and HI. ana the key par; consols of Enc 
(KOtO. Kroot) and £nc(K011, Kroot}. A sub- EKB de- 
scribed sn a sub-F.KB held 53120 is exactly the same as 
the sub-EKB-(S) produced by iheTLCE of the category 
serial • fet r_e 1 o r iq 5S where 
in the tag pah -hereof consist? of 110. 010 000. in. 
and in and the key pan census of EncjKHO. Kroot) 
andEnc(K11l.KroQi). 

[0344] Rg. 52 shows tf ita structure of a combined 
EKB produ F t$s 08 and 

58. produced m a situation in which fhere is a revoked 
device. A sub-EKB described masub-EKS aetd 6110 is 
exactly the same 5 1 , trie 

Ti.Ci if the set Ires A d 1 »bovi with ref- 
erence :c 1 . 

Of 101 ; 010, 000, 111,000, 001, 111, and 111, and the 
key part consists of EncfKOlO, Kroot), Enc(K01i1. 
Kroot}, and EocfKOHGO. Kroot). A sub-EKB described 
in a sub- EKB field 6120 is exactly She same as 
sub-EKB-(B) produced by the T;.C£ of the category tree 
B, including no revoked devi t 
reference to F q 5£ w 

sisis of 110, 010, 00O, 111, and 111, and the key part 
consists of Enc{K110, Kroot) and Enc(K111, Kroot), 
[0345] The combined EKB described above makes it 
pot 1 k i 1 it e , y 

to select a sub-EKB co respi n it , > - it specific cat- 
egory ana process (deemed the selected sub-EKB. This 
allows a sub-EKB to be produced for each category 

riCE) us:* tn at ite . orographic ; 

gorithm or Key length in other words,, eacti ~lCE car; 
determine the cryptograph ilg< "• i and the key 
length with u o: her cat* jories 

[0346] The key distribution center (KDC) does not 
need io disass < ag pads and 

ihe fcey bate, pahs of sub-EKBs received from respec- 
tive TLCE's, and thus the complexity of the process is 
eased. 

[0347] When a device accuses an EKB produced ac- 
cording to the pmsent scheme, ihe device can o'efec! 
an sub -EKB corresponding to a category to which the 
device belongs, and car- extract a reel key Dy process- 
ig ihesub-EK ficpt adt < 

evice t is not 

eecec to r oa t e mod ov the 

uCf- r 1 the s. It o not needed to 

describe keys in a sub-EKB .such that the keys have a 
i >cci earn-- , - o -fn may do 
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set to any are it ra ry va Sue. 

(Revocation (I)) 

s [0340] A revocation s f rmad in a case 
where an EKB usable in common by a plurality of cate- 
gories is described below. Firs;, a revocation process is 
described which may occur In a situation in which an 
encrypted content is acquired from the outside via a net- 
is work or a med-um. a content Key re decrypted using a 
key extracted from an EKB, and finally the content is 
decrypted. 

[03483 Referring to Fig 63. an EKB 7000 is assumed 
to be used in common by a categ , MJW 
a category tree B (7200). The EKB 7000 used in com- 
mon by the category t re a A {71 00; and tn© category free 
B (72C } is assigr ty; tficatso mmbes 

#i in the EKB type definition ite. 
[0350] in such a situation, a content provider provides 

20 a content encrypted using a content key via a network 
o' a moon n c along to a c stegory hoc A 

i Sevioes i: ig to a category tree s 

(7200) use the content by extracting a root key ironn Site 
EKB 7000. acquiring the content Key by performing de- 
es cryption usm g ■ he root key. and fins-ty decrypting the em 
crypte c using the content key. 
[0351] in this situation, if breakage of secrecy of key 
jiaor another unaut evict: A1 (7120) 

belonging to the categoiy tree A (7100) is detected the 

30 device A1 (7120) is revoked. 

[0352] To perform revocation, the TLCE of the cate- 
gory tree A (71 m first issues a iroe change notification 
( c g 53) t ) ) in accord- 

ance witt the ) f cation the key 

35 distribution center (KDC) sends a notification to TLCE's 
and EKB requesters managed ey the key distribution 
center (KDC). The notification includes only information 
u Keating thai he tree cha r ■ on lasbeenre 
ceived. and renewal of the EKB type definition rsi is not 

*0 performed at this point of time. 

f0353] "lie iree change notification issued in re- 
sponse to revocation may ae sent only io entities of EKB 
ma- 1 ris ) — * p ' j t c< e> 

category tree tn which revocation occurs, or further to 

■•'a category er 1 1 r categ ry trees us- 

i n i t used by - he category iree in 

which revocation occurs in oroerto make it possible to 
perform the above process, the key distribution center 
(KDC) holds a lists of users of already-issued EKS's, in 

so which EKE <B types and cot 

respond ng E mbers are listed. 

[0354] A content provider which provides a content 
to devices in the category free in which revocation has 
been performed ana which is also an EKB requester in 

ei> this Situation, requests ihe key distribution center (KDC) 
top c^ivt h KS Jevices oil 

ertnan the revoked device can process the EK8 in this 
specific case, discontent provider behaving as the EKB 
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requester in such a situation specifies the EKB type 
identification number #1 licking if KB type that is 
used in comm : , / 71 00} and the 

category tree B (7200). Thereafter, the EKB requester 
produces a new root key and sends it to the KDC or 
alternatively, the EKB requester requests the KDC to 
produce a new root key. 

[0355] in accordance with the specified EKB type 
identification number f;1, the key distribution center 
(KDC) searches the EKS typo eetmition list to oefool 
nodes of reiatir itt e$ arc* request TICE's 

of category 'sees A (71 00) and B {7200) cones-ponding; 
to the detected nodes, to produce a sob-EKB from which 
authored devices can extract a now root Key. 
[0356] in response to the request, each or TICE's of 
the category trees A (7100) anc; 3 (7200; produces a 
sub-BKS. in this specific case, in the category tree A 
{7100 x sat sprcd tea; only dt ic 

es other than the revoked device A1 (71 20) can extract 
a new root key from the sub-EKS-(A). 
[0SS7] lnteeeatege-\ >e N'c is no re- 

voked device a sub-EKB , ed sue that a 

devises belonging to the category 8 (7200} can extract 
a new root key from she sob-EK3-(B) and the resultant 
key distribution center 

(KDC). 

[Q35*| The key distribution center (KDC) produces & 
combined EKB from the sub-EKS's received from the 
respective TLCE's in the above-described manner, and 
transmits the resultant EKS to the £KS requester (con- 
tent provider}. 

[0359] The EKB requester (content provider) distrib- 
utes a center r j i 'on the key 
distribution center (KDC) More specifically, the SKBre- 
c res! v ntent pro yp sen oteei using a 
content key and encrypts the content key using the root 
keyexi cied by decrypting tf EKB nd distributes the 
encrypted content and content key The device s belong- 
ing to the category tree A (7100; one the devices be- 
longing to thecotegory ttse B {7200} can osethecor:tent 
by v r ho H in r < r 
ontentx yf the root ke\ 
and finally decrypting foe encrypted content using tne 
content key. However, the revoked device A1 (7120) m 
the category free A i 7100) cannot process the renewed 
EKB and thus cannot use the content 
£0380] In the example described soove. the key dis- 

ttu ton t r < t 3 EKB type de 

!i r list - d 'i i nt -it t f r ronr ]r 

notification is received from the Tt.CE Alternatively, at 
the point of tsne at which the tree change notification is 
received the \ , in*. " •'. ; may renew 
the EKB and the EKS type definition tist m accordance 
with the tree chang i «x m yta rsm the 

renewed EKB tyoe definition list to the EKB requesters 
and TLCE's. 
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(Revocation (2)} 

[0361] A , i 

may occur in a situ-, ; , us contents ate 

ore storage medium in which an EKB is stored, wherein 
<! root key extracted from tne EKB stereo m the recording 
device or the storage medium is used as a key needed 
in encryption and decryption. This type of recording cte- 
vice or sto j I noli recording 

type, 

[0362] ^ Referring to Fig. 64, an EKB 7000 is assumed 

a category tree 3 (7200). That «. the EKB for common 
■$ i 0 r is c o i e i i nrage me iia 

used in common in the category tree A (3100) and the 
category tree B (8200). and users record and play back 
a content try means tit enetyption and decryption using 
the EKB. The EKS 8000 used in common by the cats- 
no gory tree A 0100 t -t 3 (8200) s as- 

signed an EKB type identification number #1 to the EKB 
type definition list. 

[0363] in this situation, II breakage et secrecy of key 
iota f - t - adee ( 

25 belonging to the category >, 81 )) is detected, the 
device A1 (8120) is revoked. 

[0364] To perform revocation, the Tl.CE of the cate- 
gory tree A (8100) first issues a tree change notification 
(fig, 53) to the key dial ribntior; center (KOC). in accord- 
s' ance with the received tree change notification, the key 
distribution center (KOC) sends a notification to TLCE's 
managed by the key distribution center (KDC) and to 
associated EKB requesters. The notification includes 
only nfot rta! I i ange r ti ice 

35 tion has been received, and renewal of the EKB type 
definition list is not performed at this point oi time. 
£0365] in orcfer to prevent contents from being further 
used by the revoked device Al 18 120). the TlCE of the 
category' tree in which revocation has occurred requests 
*0 the key dish 1 1 r tee an EKB re- 

newed such that only devices other than the revoked 
device can process the EKB in this situation, this TLCE 
idrte -s.tKi i i ti case e 

TLCEce' cl eh « s .uatien 

'■'5 specif EKi ' tiieaticn noi ibe « id c 

1 1 tie E K f at - by 1 c ry 

tree A (81 00) and the category tree 3 i8200). Thereafter, 
the EKB sqr s a new root key ano sends 

it to the KOC. or alternatively, the EKB requester m- 
■M ests the KOC f " 

[0386} in accordance with the specified EKS type 
identification number #1. the »;ey distribution center 
(KDC) searches the EKB type definition hst to detect 
nodes oi teli r category 1 >' requests fLCB's 
as o* eatego y trees A (81 < ; 3 1 

to the detected nodes to produce a sup-EK8 from which 
authorized ci i c a new root key. 

[0367} In response to the request, each of TLCE's of 
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the category tr_>os. A, (810 . . ■ 0 produces 8 
sub- EKB. in this specific case, in the category free A 
(3100 cseb. s i that onfy devic- 

es other than the revoked device A1 (S 1 20} can extracl 
a new root key from the sub-EK8-{ A). In the category 
tree 8 {8200) : tf there is no revoked device, s 
sue-£K8-{8) is produced such thai at; devices belong- 
ing to the cads-gci / " t ■■' ■ - i extract a new root key 
from the sub-EKB-(8) ; and the resultant sub-EKB-(8) is 

3y distribulion cento (KDC) 
[G368] The key , SLi r center (KDC) produces a 

C _ - HVP ,'lt)« 

transmits the resultant EKB to me respective TLCE's 
f format holders), 

[0369] Each Tl.CE (format holder) sends the new 
EKB received from the key distribution center (KDC) to 
devi s d i i vu f The 

devices belonging to trio category tree A (StOO; and the 
devices beio 3 ' stegory tree B c i "mi 
record a new cement into the devises using, in theen- 

v cryptionf sroot acted I 

the updated EKB. The recorded content encrypted us- 
ing the now Et 1 1 1 c n r cc 
responding EKB is applied, and thus- the revoked device 
cannot uss the content. 

[QS70] The present invention has been descrioed in 
detail above with reference to particular embodiments, 
is will bo apparent to those skilled m the art that various 
modifications and substitution lo those embodiments 
may be made in the embodiment chosen for illustration 
n t is it and scape of the inven- 
tion. That s, the emb< s -1 described 
above by way of exar 1 stic The scope 
of She invention is to be 1 it ly by the ap 
I 0 ■ etc -ure 

Industrial Applicability 

[0371] in the information processing system and 

'Cfifiq Jt-ieoroset 1 - 
above, a key tree is produced so as to include a plurality 
if s jbtr os s sgory tree at am grouped 

" SO - * \ v i t t V itt r _> 

<y 1 1. -v r } i) is producer 

■O >■■ tf -\ I ft l 1 ■> n ' t { if 

key tree and f. et f< vr Key ir u els* 

edpath ussn (ea d oath end 

the rcsulta! i -i 1 L , - ■ <f i -> pi >\ df;d tf a 
devtee vtic r 1 SB's nan aged on the da 

sss of the an EKB type- definition fist representing the 
coaespenaence between en EKB type identifier and 
one or more identification data identifying one or more 
category bees hatcanptoc - 1 P k n EKB type 
Jest ie 1 the EKB , i by it ig it 

possible lor an EKB requester which issues an 6KB 
I. eduction re rt - >- t itegcwy Jo which 
the EKB is to be applied. 



J0372] Furthermore, in the information processing 
system ane m sent inven to 1 

e notification of a en* rtge e g> v o>" cs 

pable of processing an EKB identified in the EKB type 
s definition list is sentto an entity mat uses the EKB there- 
by making it possible to use newest EKB type definition 
information in processing. 



to Claims 

1. An information processing system in which a key 

nodes exis s ; poet ive leaves 

os tc t) sroot apk - it f devices an assigned to re 
speciive leaves: keys are assigned 1.0 the root, the 
leaves, and the nodes, located in paths from the 
root to leaves; an enabling key clock (EKB) is pro- 
duced whf- - - J i by selecting a 
ss patf jn the key tr i rj an uppe >ve 
key in the selected parh using a lower-level key in 
the se ec ^d 

be decrypted only by the device which can use a 
node key 1 1 < - 1 

25 and the resultant enabling key block {EKB} is pro- 

vvherein the key tree Includes a plurality of 
subtrees serving as category trees that are grouped 
m accordance with categories and managed by can 
do egory entities: and 

the 1 r m 1 i processing system includes a 
key distribution centsr {KDC} that produces and is- 
sues an EKB capable cf being decrypted in com- 
mon in one or more category trees . wherein the key 
35 distribution center (KDC; has an EKB type definition 
fist representing the correspondence between an 
EKB type idant id a d c t more iden 
data identifying one or more category trees that can 
process an EKB of an EKB type identified by the 
■fo EKB type identifier, and 

the key distribution center (KDC) sends a no- 
tification of a chance n state of a category tree ca- 
pable of processing an EKB i denim ad in the EKB 
type definition list to at least an entity that uses the 
<?s EKB capable of being processed In the category 
free in which trie change et state has occurred. 

2. An ' tic m according to 

i A i yii'.ftf t r ar-jf- in s j fje y 

so tree is a change in state arising from revocation (of 
a device) in the category tree. 

3. An information processing system according to 
Claim 1 . wherein the change in state m 3 category 

ss free is a change in state arising from a change of a 
key stated in a device belonging to ttie category 
tree. 
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4. An information proce 
Claim 1 .. wherein the 
includes an entity setv 
issues an EK8 produc 
button corner (KDC}. 



ystem according So 
irhich uses ihe EKB. 
;questertfsat 



5. An jnf©«* t sing sy xc d r j to 

Claim 1 , wherein the entity, which uses the EKB, 
incudes, at' entity serving as a category entity that 
manages a category tree capable of processing an 
EKB defined in ihe EKB type definition lief. 



; sys.h 



Claim 1 . ■ 



■y diets 



r (KDC; 



ties - ?svn } as an E i lat Isssjcs ar 

EKB production n t - /distribution cent- 
er -KDC) or sotving as a category entity that man- 
ages a category tree 

7. An information processing system according So 
Claim 1 m % i cei te (KDC 
receives state change informatson indicating occur- 

category entity that manages aaicf category We" 
produces a notification of the change in state in ae- 
< ' 1 1 t i nation re- 

ceived from the category entity, and sends the pro- 
duced notification. 

8. An infer r < i i 

tom in which a key tree is formed so as to include 
eaves > > -do i ns from the 

respective leaves to the root, a plurality of devices 
are assigned to respective leaves; keys are as- 

j he root, the (eaves, a r odes locat- 
ed in paths from the root to eaves: an enroling key 
block (EKB) is produced which includes data pto- 
duced by sele | path he key ti ?e and en- 
path us- 
ing a lower-level key in the selected pasts sods that 
the encrypted date ceo be decrypted only by the de- 
vice which earn use a node key set corresponding 
to She selected path; and the resultant enabling key 
bloc* ifcKB) is provided to the device, 

wherein a key distribution center {KDC). 
which produces and issues an EKB capable of Be- 
ing decrypted in common In one or mors category 

S Sc> IS H I , ( d Wi, 1st. 

category iree capable of processing an EK8 i t i 
( „c i t - a ,n - - l which tfcs cor- 
respondence between an EKB type identifier and 
one or more identification data identifying one or 
more category frees capabie el processing eo _ p 
c rl\5t ice ih EKB y re id it et 

is desctibec, io a; least an entity that uses the £KB 

eat being f - - -:iio< i, 

welch tee change in state has occurred. 



method according to 
3 in state In a category 
ing from revocation (of 



y tre 



10, inform ten prat \ i as c-feing - 
Claim 8 wherein the change in stats in a category 
tree is a change in state arising from a change of a 
key stored in a dev;i i 

tree. 

11, An information processing method according to 
Ctainn 8, wherein the amity, wnich uses the EKB. 
include so entity sen Br > 
issues an EKB production request tc the key distri- 
bution center (KDC). 

12, An inform net nccc c ig to 
Cta r 8 whereif 1 i< ity wnich uses ihe EKB, 
ini ide i 1 "j as a - go > e it y f a< 
n • i • . < tot; p ti i 1 - i i >i cssing an 
EKB defined In the EKB type definition list. 

13. An information processing method according to 
Claim 8, wherein the key distribution center (KOC) 
sends a notification of a change in state to at! enti- 
ties serving as en EKB requester that issues an 
EKBprwiet nreq t keydismbo once 
cv (KDC) or serving as a category entity that man' 
ages a category tree. 

14. An information processing method according to 
Claim 8, wherein the key distribution comer iKOCj 
reei vessta - ' t ji; atit g ccar- 
r ■ ] vtreefmma 
category entity that manages said category tree, 
produces a notification of the change in state lit ac- 
cordance with trie stare change information re- 

eived > r th gory oi tit, a ic si id the pa 
duced notification. 

1 5. A program storage medium saving s computer pro- 
gram stored therein for causing a computer system 
to execute infomtation processing in an information 
processing system in which a key tree Is formed so 



raiity of devices < 
seysa 



resigned to 



nodes located in paths from ihe root to leaves: an 
enabling key block (EK8; is produced which in- 
cloaes dafu produced by selecting a path in the key 
tree and encrypting an upper-level key in the select- 
ed pain using a lower-level key in the selected path 
such that me encrypted data can be decrypted only 
by the a'evics which can use a node key set corse- 
spo 0 iq 1 > n r 

anting key block (F.KS) is prosified to the device, the 
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computer program cotnotising the snaps of. 

receiving stale change information indicating 
occurrence of a change srs state of a category 
tree from a category entity that manages said s 
category tree: and 

n of it r rr > n t 
in accordance with the stale change informa- 
tion received from the category entity and send- 
ing the produced notification to at !sasi an snlily to 
that uses the EK3 capable of being processed 
ifi tiiecategoiy tree in wh:ch the change fn state 
has occurred. 

is 
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FIG. 4 



(A) EKB (ENABLING KEY BLOCK): EXAMPLE 1 

NODE KEYS OF VERSION OF t ARE 
TRANSMITTED TO DEVICES 0, 1, AND 2 



VERSION: t 


INDEX 


ENCRYPTION KEY 


0 


Enc(K(t)0, K{t)R) 


00 


Enc{K{t)00 ; K{t)Q) 


000 


EncfKOCO, K{i}00) 


001 


Enc(K(t}001, K(i)00} 


0010 


Enc(K0010, K(t)001) 



(8) EKB (ENABLING KEY BLOCK): EXAMPLE 2 

NODE KEYS OF VERSION OF t ARE 
TRANSMITTED TO DEVICES 0, 1, AND 2 



VERSION: t 


INDEX 


ENCRYPTION KEY 


000 


Enc(K000, K(t)00) 


001 


Enc(K(t)001, K(t)00) 


0010 


Enc{K0010 f K(t)001) 



45 



EP12S3 739A1 




EP12S3 739A1 



FIG. 6 



VERSION 


DEPTH 




DATA POINTER 


TAG POINTER 


---604 


SIGNATURE POINTER 


RESERVED 




DATA (E(kO, Kroot), - - - ) 


— 606 


TAG {{0, 0}, {1,1},---) 


— 607 


SIGNATURE 


---608 
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STORED CONTENTS 

CONTENT CI 
CONTENT C2 
CONTENT C3 
CONTENT C4 



DATA INDICATING 
CORRESPONDENCE 



o 



STORED EKB 
EK8_M 



<CONTENT CI: EKB_1> 
<CONTENT C2: EKB_2> 
<CONTENT C3: EKB_M> 
<CONTENT C4: EKBJVb 



STORAGE MEDIUM 
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FIG. 24 
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FIG. 44 

( START ) 



SELECT ENTITIES HAVING 

A SPECIFIED CAPABILITY FROM 

AN ENTITY MANAGEMENT TABLE 



PRODUCE A SELECTED ENTITY ID LIST I $4302 



ON THE BASIS OF THE ID LIST, 
SELECT A PATH OF A TREE INCLUDING 
ONLY THE SELECTED ENTITIES 



S4303 



-DOES THE PATH INCLUDE 

ALL ENTITIES INCLUDED IN 
-THE ID LIST SELECTED?. 



S4303 



PRODUCE A SELECTED ENTITY 
TREE CONSISTING OF ONLY 
THE SELECTED ENTITIES 



S4305 



PRODUCE RENEWED KEYS FOR NODES S4306 
INCLUDED IN THE SELECTED ENTITY TREE 



PRODUCE EKB OF THE SELECTED ENTITY 
TREE ON THE BASIS OF THE RENEWED 
NODE KEYS AND EKB CORRESPONDING 
TO THE SELECTED ENTITIES 



( END ) 
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FIG. 46 




CATEGORY 
SUB TREE 
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FIG. 49 
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FIG. 60 

6000 

NUMBER Of SUB EKS'S INCLUDED IN AN EKB 



SUB EKB LENGTH 
NODE ID INDICATING THE CATEGORY OF A SUB • EKB 



sub ekb 



SU8 EKB LENGTH 
NODE ID INDICATING THE CATEGORY OF A SUB EKB 

; SUB EKB ; ' / ' 



SIGNATURE FOR ALL ITEMS DESCRIBED ABOVE 
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